lam icon indicating copy to clipboard operation
lam copied to clipboard
verified publisher icon LDAPAccountManager

CRON JOBS BLOCK USER PASSWORD POLICY

Open informaticavera opened this issue 1 year ago • 6 comments

Is there a cron job that checks the users blocked by the password policy and sends them a notification warning them?

informaticavera avatar Oct 14 '24 10:10 informaticavera

Currently, there is only a job to notify before the password expires: https://www.ldap-account-manager.org/static/doc/manual/ch03s02.html#job_ppolicy_password_expire

What use-case do you need to cover? Is it that the account was locked by wrong login attempts by an attacker?

gruberroland avatar Oct 15 '24 10:10 gruberroland

We need to cover any case of blocking, due to an attack, due to incorrect login attempts by the user (the majority of cases ;) ), and more

It would be very interesting if a cron task was executed according to the time indicated in the passwordpolicy/pwdFailureCountInterval and was activated with passwordpolicy/pwdLockout sending an email to the email account configured in the password reset (passwordSelfResetBackupMail) informing of the duration of the lock according to passwordpolicy/pwdLockoutDuration

informaticavera avatar Oct 15 '24 11:10 informaticavera

I see some issues here:

  • You will need to run the cron job very often to be able to inform the users before they login the next time
  • As the account is locked the user might not have email access (mitigated by backup email address)
  • What is the intended user action when such an email is received? Do they need to call an admin or just wait?

A better approach might be to use a short lockout duration of e.g. 5min. This would still prevent password guessing attacks but not affect the user experience so much.

gruberroland avatar Oct 16 '24 17:10 gruberroland

I understand, the problem is that most systems that use ldap authentication do not show any messages regarding password policies, when a user has their account locked they see the same error messages as when they enter their password incorrectly. That is, users are not informed of the block and continue trying to log in.

Instead of modifying all the systems that depend on ldap, it only occurs to me to go to the origin, to the lam that manages the directory.

The result is that users know that their account is blocked, the reason and for how long.

This saves unnecessary calls to the IT department and time/frustration to users.

I appreciate your proposal for a short lockout time but I don't think it will solve my problem.

informaticavera avatar Oct 17 '24 05:10 informaticavera

The problem is that the origin would be more the LDAP server. This would be the best place to trigger an event that could start such a notification. Unfortunately, PPolicy does not provide a way to call a script when an account is locked (maybe you could react to a log entry but this is not reliable). Btw., there is no possibility to get the reason of the lock, too. PPolicy does not provide any information about that. At the moment, I would not add such a notification to LAM because of the issues above.

But maybe you can create your own script based on this one? https://kifarunix.com/configure-openldap-password-expiry-email-notification/

gruberroland avatar Oct 17 '24 05:10 gruberroland

Thank you very much, for now do not create anything additional to lam to manage my users on our ldap server. In the future perhaps it can be added to the jobs available in lam or how we can talk about a custom development for mail

informaticavera avatar Oct 17 '24 09:10 informaticavera