ldappool

Connection Pooling Retries Failed Passwords

Bug #1785898 reported by Nick Wilburn on 2018-08-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ldappool	Fix Released	Undecided	Nick Wilburn

Bug Description

Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.

Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.

The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions

Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock

Actual result
=============
One bad password recorded instead of whatever the retry number is.

Workaround
==========
Configure keystone [ldap] with use_pool = False. Note: This will slow down authentication.
Another option is to configure keystone with [ldap] pool_retry_max = 1

See original description

Nick Wilburn (nowilburn) on 2018-08-07

description:

updated

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-08-07:

We discussed this at length in IRC. Attaching logs for context [0]. The work around in the description is to set keystone.conf [ldap] pool_retry_max = 0 [1].

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-08-07.log.html#t2018-08-07T17:18:16
[1] https://docs.openstack.org/keystone/latest/configuration/config-options.html#ldap.pool_retry_max

Nick Wilburn (nowilburn) on 2018-08-10

description:

updated

Nick Wilburn (nowilburn) on 2018-08-10

description:

updated

Revision history for this message

Nick Wilburn (nowilburn) wrote on 2018-08-12:

Reporting back:

Bug was replicated and confirmed in all versions. A fix has been submitted here: https://review.openstack.org/#/c/591174/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-15: Fix merged to ldappool (master)

Reviewed: https://review.openstack.org/591174
Committed: https://git.openstack.org/cgit/openstack/ldappool/commit/?id=459000d7aa3fa1ace05c800ff1273b99fbd8babe
Submitter: Zuul
Branch: master

commit 459000d7aa3fa1ace05c800ff1273b99fbd8babe
Author: Nick Wilburn <email address hidden>
Date: Sat Aug 11 14:21:11 2018 -0700

fix ldappool bad password retry logic

    This patch fixes a bug in ldappool which causes a bind attempt
    utilizing a bad password to be retried until the retry limit has been
    reached. Instead ldappool will now break out of the retry loop if the
    ldap connection try block catches a ldap.INVALID_PASSWORD exception.

    Previously ldappool would attempt to catch ldap.LDAPError which is
    the base exception class for all ldap errors in the python-ldap
    library. This is an issue because Keystone by default enables
    ldappool and configures the default retry value to be 3. An LDAP
    server with a password lockout threshold of 3 bad passwords will
    lock out a user after a single bad password attempt through Keystone.

Change-Id: I2a9b850ce977260d4df1e9edf86417b8042a6fb8
Closes-Bug: #1785898