Ldap - wrong password and immdiate lock in AD


#1

hi,
i’m using AD and my AD admin told me that 3 consecutive failed tries will lock me in the AD.
when i run single “curl” command with wrong password i can see in the elastic log 6 rows:

[error][t.b.r.a.d.l.u.unboundidauthenticationldapclient] ldap authenticate operation failed: ldaperr dsid-…

and i immediately locked.

why one command tries to run couple of times?
can i configure somewhere that one command will try one authenticate ?

thanks


(Simone Scarduzio) #2

@sdba2 This is a known issue: the LDAP connector only caches correct credentials.
Fortunately, this has a fix in the current master branch. Would you like to be the first one to test it? In that case please tell me the ES version you are using.


#3

yes
i’m using es 6.1.1 and ror 1.16.17


(Simone Scarduzio) #4

OK Try this please https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/readonlyrest-1.16.18-pre1_es6.1.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180319/eu-west-1/s3/aws4_request&X-Amz-Date=20180319T150225Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3618cce5dd2cb8b429d3f22d220e58acb9ef98bc33815d8e3a974614f7b54404


#5

Hi there ,

we are now using version 1.16.27 and facing the same issued as with 1.16.17 .
we have some users which were locked in active directory after 1 failed login to kibana (using ROR) .
tough I tried only one time to login, I see that the log contains 10 entries from the same hours:
[error][t.b.r.a.d.l.u.unboundidauthenticationldapclient] ldap authenticate operation failed: ldaperr dsid-…

after that my user locked .
is there a parameter which I can set in one of the configuration files so ROR will send only one authentication request to the active directory ?

Thanks .


(Simone Scarduzio) #6

@sdba2 Have you enabled caching?


#7

if I do ctrl+shitf+i and then go to network tab I see checkbox of “disable cache” is not set . that means that cache is enabled, am I right ?


(Simone Scarduzio) #8

I mean the LDAP cache in the readonlyrest.yml YAML settings. I.e. cache_ttl_in_sec in the docs.


#9

I’ve just checked , this parameter is set to 0 .


(Simone Scarduzio) #10

set it up to sensible value i.e. 300


#11

ok , how this settings affects the product and the way it behaves against the active directory ?


(Simone Scarduzio) #12

we keep an internal in-memory cache in the LDAP connector, the credentials are checked against the cache before reaching out to the LDAP server.

The credentials are never stored in clear though, they’re hashed.


#13

looks fine now , thanks a lot .
I see only one failed entry in elastic log now .
so just to confirm , when I set the parameter to 300 , it means that only after 5 minutes the ROR will send automatically another request to the active directory ?


(Simone Scarduzio) #14

Yes that’s correct. We cache both valid and invalid credentials into a LRU cache which is limited in time (5min in your case) and space (some thousands entries).