Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccountPolicyPlugin erroring for some users #5834

Closed
lucasdiedrich opened this issue Jul 12, 2023 · 2 comments · Fixed by #5866
Closed

AccountPolicyPlugin erroring for some users #5834

lucasdiedrich opened this issue Jul 12, 2023 · 2 comments · Fixed by #5866
Assignees
@jchapma

Comments

@lucasdiedrich
Copy link

lucasdiedrich commented Jul 12, 2023
edited

Hey,

Since i updated to the lastest Freeipa version (IPA, version: 4.10.1), i started noticing some error in the 389 error.log.

> [11/Jul/2023:13:50:20.591388308 -0300] - ERR - acct_update_login_history - Modify error 20 on entry 'uid=xyz,cn=users,cn=accounts,dc=mydomain'
> [11/Jul/2023:13:51:52.993254666 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230710114037Z) failed.
> [11/Jul/2023:13:51:52.995079255 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230710114037Z) failed.
> [11/Jul/2023:13:51:53.014918310 -0300] - ERR - acct_update_login_history - Modify error 20 on entry 'uid=abc,cn=users,cn=accounts,dc=mydomain'
> [11/Jul/2023:13:52:12.898523693 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230711165203Z) failed.
> [11/Jul/2023:13:52:12.901073197 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230711165203Z) failed.
> [11/Jul/2023:13:52:12.914936792 -0300] - ERR - acct_update_login_history - Modify error 20 on entry 'uid=abc,cn=users,cn=accounts,dc=mydomain'
> [11/Jul/2023:13:52:21.897598474 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230711165144Z) failed.
> [11/Jul/2023:13:52:21.899560503 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230711165144Z) failed.
> [11/Jul/2023:13:52:21.913459796 -0300] - ERR - acct_update_login_history - Modify error 20 on entry 'uid=xyz,cn=users,cn=accounts,dc=mydomain'
> [11/Jul/2023:13:52:42.939623733 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230710221057Z) failed.
> [11/Jul/2023:13:52:42.942050331 -0300] - ERR - attrlist_replace - attr_replace (lastLoginHistory, 20230710221057Z) failed.
> [11/Jul/2023:13:52:42.955004117 -0300] - ERR - acct_update_login_history - Modify error 20 on entry 'fqdn=hostname.unila.intranet,cn=computers,cn=accounts,dc=mydomain'

I'm not sure why this is happening and how can i fix this, unfortunetly i'm using the accountpolicy_plugin to update the last auth date via LDAP, but the field lastLoginHistory seems to be something added in the lastest releases.

For additional details:

  • we have 3 replicas but the accountpolicy_plugin is enabled only in 1 server were we concentrate the ldap auth.
  • I can see that the users has the multi-value attribute lastLoginHistory filled, so at some point this is updated.
  • It seems to be happening with both user accounts and hosts.

image
image

Any ideas on how to fix this? Thanks.
@jchapma jchapma self-assigned this Jul 12, 2023
@jchapma
Copy link
Contributor

jchapma commented Jul 13, 2023

Hi @lucasdiedrich

Yes the LastLoginHistory feature is a customer RFE that has been added to the code base recently.

I am trying to reproduce the issue you are experiencing, I setup 3 DS instances in a multi supplier configuration, where each supplier is also a consumer. I enabled the account policy plugin on supplier1. When a user logs on to supplier1 the timestamps get added to the multi value LastLoginHist attribute, which is then replicated to supplier2/3. Can you confirm my setup is similar to yours as I am unable to reproduce the issue so far.

From the error logs you shared above it looks like a "user" is attempting multiple logins simultaneously, In a replication topology the consumer periodically binds to a supplier to check for updates. Its possible that the behaviour in the error log above could be both consumers binding to the supplier at the same time. I would be interesting to see how your service accounts are configured, for comparison here are mine:

# localhost:63702, Services, example.com
dn: cn=localhost:63702,ou=Services,dc=example,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: nsMemberOf
objectClass: nsAccount
cn: localhost:63702
[snip]

# localhost:63703, Services, example.com
dn: cn=localhost:63703,ou=Services,dc=example,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: nsMemberOf
objectClass: nsAccount
cn: localhost:63703
[snip]

Thank you

@lucasdiedrich
Copy link
Author

@jchapma that's exactly my environment, but i just confirmed and we're now loadbalancing the authentication between the hosts. What i said before was not so precise.

Some of accounts that i'm seing the errors are service accounts used for some scripts, that might be why it's authenticating simultaneously, but they are not created as service accounts just user accounts:

image

But one of the accounts was just a regular user, but it explained by the loadbalancer on the authentication i think.

jchapma added a commit to jchapma/389-ds-base that referenced this issue Jul 28, 2023
@jchapma
Issue 5834 - AccountPolicyPlugin erroring for some users
fbb2ae8 
Bug Description: With the account policy plugin enabled and
lastloginhistory size set to non 0 an issue occurs during
simultaneous binds of the same user. In this case the timestamp
to be stored in the lastloginHistory attribute already exists from
a previous bind, and generates an error message.

A side effect of lastloginHistory feature is that the modifytimestamp
value is updated after a successful bind, even when the feature is
disabled.

Fix Description: Before a timestamp is added to the lastloginHistory
attribute a check is performed to make sure it doesnt already exist.

Ensure the entry is not modified when this feature is disabled.

Fixes:	389ds#5834
Relates:389ds#5752

Reviewed by:
@jchapma jchapma mentioned this issue Jul 28, 2023
Merged
jchapma added a commit that referenced this issue Aug 8, 2023
@jchapma
Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
454ee60 
Bug Description: With the account policy plugin enabled and
lastloginhistory size set to non 0 an issue occurs during
simultaneous binds of the same user. In this case the timestamp
to be stored in the lastloginHistory attribute already exists from
a previous bind, and generates an error message.

A side effect of lastloginHistory feature is that the modifytimestamp
value is updated after a successful bind, even when the feature is
disabled.

Fix Description: Before a timestamp is added to the lastloginHistory
attribute a check is performed to make sure it doesnt already exist.

Ensure the entry is not modified when this feature is disabled.

Fixes:	#5834
Relates:#5752

Reviewed by: @progier389, @tbordaz  (Thank you)
jchapma added a commit that referenced this issue Aug 8, 2023
@jchapma
Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
91978a1 
Bug Description: With the account policy plugin enabled and
lastloginhistory size set to non 0 an issue occurs during
simultaneous binds of the same user. In this case the timestamp
to be stored in the lastloginHistory attribute already exists from
a previous bind, and generates an error message.

A side effect of lastloginHistory feature is that the modifytimestamp
value is updated after a successful bind, even when the feature is
disabled.

Fix Description: Before a timestamp is added to the lastloginHistory
attribute a check is performed to make sure it doesnt already exist.

Ensure the entry is not modified when this feature is disabled.

Fixes:	#5834
Relates:#5752

Reviewed by: @progier389, @tbordaz  (Thank you)
jchapma added a commit that referenced this issue Aug 8, 2023
@jchapma
Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
ea04a04 
Bug Description: With the account policy plugin enabled and
lastloginhistory size set to non 0 an issue occurs during
simultaneous binds of the same user. In this case the timestamp
to be stored in the lastloginHistory attribute already exists from
a previous bind, and generates an error message.

A side effect of lastloginHistory feature is that the modifytimestamp
value is updated after a successful bind, even when the feature is
disabled.

Fix Description: Before a timestamp is added to the lastloginHistory
attribute a check is performed to make sure it doesnt already exist.

Ensure the entry is not modified when this feature is disabled.

Fixes:	#5834
Relates:#5752

Reviewed by: @progier389, @tbordaz  (Thank you)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jchapma jchapma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 5834 - AccountPolicyPlugin erroring for some users jchapma/389-ds-base
2 participants
@lucasdiedrich @jchapma