Multiple LDAP requests per failed login


(Eric Garza) #1

Hello,

I am using Elastic v6.2.1 and the ROR ES/Kibana Pro plugins v1.16.16.

My organization allows a total of three failed login attempts before an account is locked out, which then requires a request to our IT team to unlock the account. When looking at the Elasticsearch logs during a failed login attempt I see the following:

[t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
[t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP authenticate operation failed: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

It looks like it is making multiple requests per failed login which increases the failed login attempts by two when it is really only a single attempt. This is further complicated when there are multiple DCs configured to process these (a single failed login results in 4 failed requests which automatically results in a locked out account).

I tried setting connection_timeout_in_sec and request_timeout_in_sec to 0 in an attempt to force the connection to close immediately but this did not seem to help.

Is there a way to force a login to only make a single request either per DC or per DC “group”?

Thank you,
Eric


(Simone Scarduzio) #2

what is the cache TTL settings on your LDAP connector in ROR?


(Eric Garza) #3

It is currently set at 0 (as a possible workaround to the issue of LDAP connections not working after a period of time).


(Simone Scarduzio) #4

OK I really need to fix the cache thing. Will work on it today.


(Eric Garza) #5

I’m not sure if this is actually related to the cache at all. It seems more like some sort of retry logic or something is causing multiple failed LDAP login attempts when it should only be one. This probably isn’t a big deal if there is no lockout policy in place, but if there is it can be quite frustrating.


(Simone Scarduzio) #6

Yes that’s the cache problem I refer to, it’s caching only the correct credentials. It should cache also the wrong attempt for a while at least.