Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-8574

Updating AD information every time user submits wrong password when logging in

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Timed out
    • None
    • None
    • Confluence EAR/WAR Version 2.4.2, Bea WebLogic Server 8.1.4, j2sdk1.4.2_08
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Our authentication has been integrated with our AD trough osuser.xml. The problem is that even if there is functionality to lock up the password after five (5) wrong password entries in AD, Confluence doesn't update the information before the session has been restarted.

      If someone knows confluence-administrators user name, the person can try to guess the password countless times without Confluence lock the account. Meaning that the attribute in badPwdCount in AD increases every time user pushes the Log In button, but the after five wrong password entries the information about password being locked doesn't go from AD to Confluence. The problem disappears when session is restarted (meaning the browser session, not server session).

            [CONFSERVER-8574] Updating AD information every time user submits wrong password when logging in

            Petteri Parkkila added a comment -

            Hi Tom,

            >Confluence never queries AD for account lock out information. If AD has decided that an account is locked out, then a Confluence user can't try any more passwords - presumably even the right password will be denied, or have I misunderstood how AD works?

            You have uderstood AD correctly, if user makes five or more wrong account entries, AD lock the account.

            Locked out account before opening browser:
            The case here is that if user has locked out the account before opening the browser and went to the log in page the access to the Confluence is denied.

            Open account before opening browser:
            But if user hasn't locked the account before opening the browser and went to the log in page, user can try to guess the password countless times and if the user gets lucky and guess the password, say like on 35th guess, the access is granted to the Confluence.

            Locked account after opening browser:
            If user didn't guess the password, say on 35th times and closes the browser and opens the browser again and submits the right account information, the access to the Confluence is denied (this is because the AD has locked the account).

            Ideal configuration would be that when user pushes the Log In button, information would sync with AD just like the browser was opened as a first time.

            Petteri Parkkila added a comment - Hi Tom, >Confluence never queries AD for account lock out information. If AD has decided that an account is locked out, then a Confluence user can't try any more passwords - presumably even the right password will be denied, or have I misunderstood how AD works? You have uderstood AD correctly, if user makes five or more wrong account entries, AD lock the account. Locked out account before opening browser: The case here is that if user has locked out the account before opening the browser and went to the log in page the access to the Confluence is denied. Open account before opening browser: But if user hasn't locked the account before opening the browser and went to the log in page, user can try to guess the password countless times and if the user gets lucky and guess the password, say like on 35th guess, the access is granted to the Confluence. Locked account after opening browser: If user didn't guess the password, say on 35th times and closes the browser and opens the browser again and submits the right account information, the access to the Confluence is denied (this is because the AD has locked the account). Ideal configuration would be that when user pushes the Log In button, information would sync with AD just like the browser was opened as a first time.

            Tom Davies added a comment -

            Thanks for the update.

            Confluence never queries AD for account lock out information. If AD has decided that an account is locked out, then a Confluence user can't try any more passwords – presumably even the right password will be denied, or have I misunderstood how AD works?

            What behaviour do you see for a locked out account before and after closing your browser?

            Tom

            Tom Davies added a comment - Thanks for the update. Confluence never queries AD for account lock out information. If AD has decided that an account is locked out, then a Confluence user can't try any more passwords – presumably even the right password will be denied, or have I misunderstood how AD works? What behaviour do you see for a locked out account before and after closing your browser? Tom

            Petteri Parkkila added a comment -

            Hi Tom,

            I mean that Confluence synchronizes with AD when for example the browser window is closed, but doesn't sync if just a tab is closed and opened again.

            Confluence does update the bad password information to AD in real time, but AD doesn't update the bad password information to Confluence (e.g. If the account is locked after 5 wrong entries). This causes threat issue because if attacker knows confluence-administrators user name (from example when pushing Contact Administrators link and moving mouse pointer above administrators name, the un shows at the status bar).

            But I have tested that the problem disappears when I close whole browser window and open a new one and go to the log in page again. Closing just a tab (in mozilla) doesn't update the information. I still doesn't have to restart the server to get AD sync with Confluence.

            Regards,
            Petteri

            Petteri Parkkila added a comment - Hi Tom, I mean that Confluence synchronizes with AD when for example the browser window is closed, but doesn't sync if just a tab is closed and opened again. Confluence does update the bad password information to AD in real time, but AD doesn't update the bad password information to Confluence (e.g. If the account is locked after 5 wrong entries). This causes threat issue because if attacker knows confluence-administrators user name (from example when pushing Contact Administrators link and moving mouse pointer above administrators name, the un shows at the status bar). But I have tested that the problem disappears when I close whole browser window and open a new one and go to the log in page again. Closing just a tab (in mozilla) doesn't update the information. I still doesn't have to restart the server to get AD sync with Confluence. Regards, Petteri

            Tom Davies added a comment -

            Hi Petteri,

            Can you please explain what you mean when you say "The problem disappears when session is restarted (meaning the browser session, not server session)"

            Thanks,
            Tom

            Tom Davies added a comment - Hi Petteri, Can you please explain what you mean when you say "The problem disappears when session is restarted (meaning the browser session, not server session)" Thanks, Tom

              barconati BillA
              9b8f9002b2d8 Petteri Parkkila
              Votes:
              3 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: