2018-08-07 21:08:44 |
Nick Wilburn |
bug |
|
|
added bug |
2018-08-07 21:10:07 |
Nick Wilburn |
description |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is. |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is.
Workaround
==========
if you're relying ldap to enforce user lock outs, just be sure to set retry_max to 0 until ldappool knows how to distinguish different authentication failure types |
|
2018-08-10 13:37:56 |
Nick Wilburn |
description |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is.
Workaround
==========
if you're relying ldap to enforce user lock outs, just be sure to set retry_max to 0 until ldappool knows how to distinguish different authentication failure types |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is.
Workaround
==========
Configure keystone [ldap] with use_pool = False. Note: This will slow down authentication. |
|
2018-08-10 13:56:48 |
Nick Wilburn |
description |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is.
Workaround
==========
Configure keystone [ldap] with use_pool = False. Note: This will slow down authentication. |
Description
===========
Ldappool is configured to continually retry (based on the number of retries specified) on all LDAP errors. This is an issue for Keystone because by default it is configured to retry 3 times with .1 seconds between retries. When a user enters a bad password while authenticating to Keystone ldappool will try that password once, and then catch the ldap.LdapError class which is thrown. This is the base class for all Python-LDAP errors including bad passwords. Ldappool will then retry until the retry limit is reached. This will lock out keystone users if the retry limit is configured to be higher than the LDAP bad password lockout number.
Lines 248-265 of __init__.py show the retry logic. This should be configured to do something differently if a bad password is used.
The ldap.LdapError exception can be found documented here: https://github.com/python-ldap/python-ldap/blob/e8cc39db0990bfb56e95c6ae1bd2f8be10e88683/Doc/reference/ldap.rst#exceptions
Steps to reproduce
==================
1. Configure Keystone with LDAP authentication
2. Set LDAP (Active Directory) bad password tolerance to 3
3. Attempt to log in via the Openstack Dashboard with an incorrect password
4. View the account lock
Actual result
=============
One bad password recorded instead of whatever the retry number is.
Workaround
==========
Configure keystone [ldap] with use_pool = False. Note: This will slow down authentication.
Another option is to configure keystone with [ldap] pool_retry_max = 1 |
|
2018-08-15 20:01:44 |
OpenStack Infra |
ldappool: status |
New |
Fix Released |
|
2018-08-17 09:29:28 |
Colleen Murphy |
ldappool: assignee |
|
Nick Wilburn (nowilburn) |
|