Message "Exceed password retry limit. Account locked. (448). Authentication backed failure." show from time to time
707 views
Skip to first unread message
prez...@gmail.com
Nov 4, 2020, 2:08:19 AM11/4/20
to Event-Driven Servers
Hi Marc,
I'm facing strange behavior, some users report they cannot login to devices but "from time to time". In the log I can see only message "Exceed password retry limit. Account locked. (448). Authentication backed failure.", but as far I as know the password is correct and the ldaps serves should be available.
Can you explain or give a hint what can be the issue? Is it problem on ldaps server and it's his response or it is generated by tacacs application itself?
Additional question what is the timeout for locked accounts? And again is it defined on tacacs or remote ldaps server?
NOTE: tacacs version DEVEL.202006061409.tar.bz2, Centos 7/8 (two major version has similar problem).
Regards,
Bartek
Marc Huber
Nov 6, 2020, 4:14:16 AM11/6/20
to event-driv...@googlegroups.com
Hi Bartek,
On 04.11.20 08:08, prez...@gmail.com wrote:
> I'm facing strange behavior, some users report they cannot login to
> devices but "from time to time". In the log I can see only message
> "Exceed password retry limit. Account locked. (448). Authentication
> backed failure.", but as far I as know the password is correct and the
> ldaps serves should be available.
The "Exceed password retry limit. Account locked." part comes from your
LDAP backend. 448 is the line number in the mavis_tacplus_ldap.pl where
the error is logged.
$mesg = $ldap->bind($authdn, password => $V[AV_A_PASSWORD]);
if ($mesg->code) {
$V[AV_A_USER_RESPONSE] = $mesg->error . " (" . __LINE__
. ")";
goto fail if $mesg->code == LDAP_INVALID_CREDENTIALS;
goto fatal;
}
Handling this "account locked" error message (I think this is
LDAP_CONSTRAINT_VIOLATION) just like LDAP_INVALID_CREDENTIALS could be a
good idea here (even if I think that returning LDAP_CONSTRAINT_VIOLATION
in bind() context is illegal). I'll issue an update later today.
Cheers,
Marc
On 04.11.20 08:08, prez...@gmail.com wrote:
> I'm facing strange behavior, some users report they cannot login to
> devices but "from time to time". In the log I can see only message
> "Exceed password retry limit. Account locked. (448). Authentication
> backed failure.", but as far I as know the password is correct and the
> ldaps serves should be available.
LDAP backend. 448 is the line number in the mavis_tacplus_ldap.pl where
the error is logged.
$mesg = $ldap->bind($authdn, password => $V[AV_A_PASSWORD]);
if ($mesg->code) {
$V[AV_A_USER_RESPONSE] = $mesg->error . " (" . __LINE__
. ")";
goto fail if $mesg->code == LDAP_INVALID_CREDENTIALS;
goto fatal;
}
Handling this "account locked" error message (I think this is
LDAP_CONSTRAINT_VIOLATION) just like LDAP_INVALID_CREDENTIALS could be a
good idea here (even if I think that returning LDAP_CONSTRAINT_VIOLATION
in bind() context is illegal). I'll issue an update later today.
Cheers,
Marc
prez...@gmail.com
Nov 6, 2020, 6:31:22 AM11/6/20
to Event-Driven Servers
HI Marc,
But it is not correct, a few minutes later I use the same password and the login is successful. Is it possible to increase debug or something like that? What is the lock timeout in such cases?
Regards,
Bartek
Marc Huber
Nov 6, 2020, 12:02:35 PM11/6/20
to event-driv...@googlegroups.com
Hi Bartek,
On 06.11.20 12:31, prez...@gmail.com wrote:
> But it is not correct, a few minutes later I use the same password and
> the login is successful. Is it possible to increase debug or something
> like that? What is the lock timeout in such cases?
this really is an issue with your LDAP server and the Perl script just
proxies the error message. Also, this seems to specific to "Oracle
Directory Server", whatever that is. You may or may not be able to
convince that LDAP server to drop the limitation on password retries ...
Cheers,
Marc
On 06.11.20 12:31, prez...@gmail.com wrote:
> But it is not correct, a few minutes later I use the same password and
> the login is successful. Is it possible to increase debug or something
> like that? What is the lock timeout in such cases?
proxies the error message. Also, this seems to specific to "Oracle
Directory Server", whatever that is. You may or may not be able to
convince that LDAP server to drop the limitation on password retries ...
Cheers,
Marc
prez...@gmail.com
Dec 14, 2020, 7:32:31 AM12/14/20
to Event-Driven Servers
Hi Marc,
Is it possible to add more info about failure reason in access log?
Best regards,
Bartek Radwan
Marc Huber
Dec 15, 2020, 9:33:27 AM12/15/20
to event-driv...@googlegroups.com
Hi Bartek,
On 14.12.20 13:32, prez...@gmail.com wrote:
> Is it possible to add more info about failure reason in access log?
yes (I've had this already in place, but only for one particular result
type). Snapshot 202012151529 will now propagate the MAVIS user response
for all results.
Thanks,
Marc
On 14.12.20 13:32, prez...@gmail.com wrote:
> Is it possible to add more info about failure reason in access log?
type). Snapshot 202012151529 will now propagate the MAVIS user response
for all results.
Thanks,
Marc
prez...@gmail.com
Dec 16, 2020, 3:46:09 AM12/16/20
to Event-Driven Servers
Great, thank you Marc!
Reply all
Reply to author
Forward
0 new messages