-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AccountPolicyPlugin erroring for some users #5834
Comments
Yes the LastLoginHistory feature is a customer RFE that has been added to the code base recently. I am trying to reproduce the issue you are experiencing, I setup 3 DS instances in a multi supplier configuration, where each supplier is also a consumer. I enabled the account policy plugin on supplier1. When a user logs on to supplier1 the timestamps get added to the multi value LastLoginHist attribute, which is then replicated to supplier2/3. Can you confirm my setup is similar to yours as I am unable to reproduce the issue so far. From the error logs you shared above it looks like a "user" is attempting multiple logins simultaneously, In a replication topology the consumer periodically binds to a supplier to check for updates. Its possible that the behaviour in the error log above could be both consumers binding to the supplier at the same time. I would be interesting to see how your service accounts are configured, for comparison here are mine:
Thank you |
@jchapma that's exactly my environment, but i just confirmed and we're now loadbalancing the authentication between the hosts. What i said before was not so precise. Some of accounts that i'm seing the errors are service accounts used for some scripts, that might be why it's authenticating simultaneously, but they are not created as service accounts just user accounts: But one of the accounts was just a regular user, but it explained by the loadbalancer on the authentication i think. |
Bug Description: With the account policy plugin enabled and lastloginhistory size set to non 0 an issue occurs during simultaneous binds of the same user. In this case the timestamp to be stored in the lastloginHistory attribute already exists from a previous bind, and generates an error message. A side effect of lastloginHistory feature is that the modifytimestamp value is updated after a successful bind, even when the feature is disabled. Fix Description: Before a timestamp is added to the lastloginHistory attribute a check is performed to make sure it doesnt already exist. Ensure the entry is not modified when this feature is disabled. Fixes: 389ds#5834 Relates:389ds#5752 Reviewed by:
Bug Description: With the account policy plugin enabled and lastloginhistory size set to non 0 an issue occurs during simultaneous binds of the same user. In this case the timestamp to be stored in the lastloginHistory attribute already exists from a previous bind, and generates an error message. A side effect of lastloginHistory feature is that the modifytimestamp value is updated after a successful bind, even when the feature is disabled. Fix Description: Before a timestamp is added to the lastloginHistory attribute a check is performed to make sure it doesnt already exist. Ensure the entry is not modified when this feature is disabled. Fixes: #5834 Relates:#5752 Reviewed by: @progier389, @tbordaz (Thank you)
Bug Description: With the account policy plugin enabled and lastloginhistory size set to non 0 an issue occurs during simultaneous binds of the same user. In this case the timestamp to be stored in the lastloginHistory attribute already exists from a previous bind, and generates an error message. A side effect of lastloginHistory feature is that the modifytimestamp value is updated after a successful bind, even when the feature is disabled. Fix Description: Before a timestamp is added to the lastloginHistory attribute a check is performed to make sure it doesnt already exist. Ensure the entry is not modified when this feature is disabled. Fixes: #5834 Relates:#5752 Reviewed by: @progier389, @tbordaz (Thank you)
Bug Description: With the account policy plugin enabled and lastloginhistory size set to non 0 an issue occurs during simultaneous binds of the same user. In this case the timestamp to be stored in the lastloginHistory attribute already exists from a previous bind, and generates an error message. A side effect of lastloginHistory feature is that the modifytimestamp value is updated after a successful bind, even when the feature is disabled. Fix Description: Before a timestamp is added to the lastloginHistory attribute a check is performed to make sure it doesnt already exist. Ensure the entry is not modified when this feature is disabled. Fixes: #5834 Relates:#5752 Reviewed by: @progier389, @tbordaz (Thank you)
Hey,
Since i updated to the lastest Freeipa version (IPA, version: 4.10.1), i started noticing some error in the 389 error.log.
I'm not sure why this is happening and how can i fix this, unfortunetly i'm using the accountpolicy_plugin to update the last auth date via LDAP, but the field lastLoginHistory seems to be something added in the lastest releases.
For additional details:
Any ideas on how to fix this? Thanks.
The text was updated successfully, but these errors were encountered: