Use of authentication token with LDAP account results in account lockout when max bad password attempts are configured in LDAP
(Using the Community Edition)
We would like to use the authentication tokens for accounts used by automated systems. In our organization these "service" accounts are required to be managed in Active Directory/LDAP. Normally this is fine since Rhodecode works great with LDAP accounts. However, mixing an LDAP account with authentication token usage is an issue because of an LDAP configuration requirement for account lockout after a number of bad password attempts, and also general security monitoring of failed logins.
When using the authentication token to authenticate to Rhodecode, Rhodecode first attempts to authenticate the LDAP user against LDAP using the token as the password. This obviously fails thus incrementing the bad password counter (eventually locking the account) and also logging a failed login attempt in the monitoring of the LDAP system.
I have focused primarily on the service accounts in this filing, but this could also affect users that opt to use the token on shared systems where they would prefer to not record their LDAP password.
While the account is still technically usable in Rhodecode, this behavior creates a situation where the security monitoring of the accounts is muddied by the false failures. Is there a way to change the order in which Rhodecode attempts authentication to have it first verify against the authentication token rather than LDAP?
Related log output:
[26/Feb/2019:16:37:04 -0500] GNCRN <63245> 127.0.0.1 rqt:0.471118 200 42 "GET:/repogroup/repo cmd=batch" usr:serviceaccount "-" "mercurial/proto-1.0" 2019-02-26 16:37:04.111  INFO [rhodecode.authentication.base] Authenticating user `serviceaccount` using egg:rhodecode-enterprise-ce#ldap plugin 2019-02-26 16:37:04.375  ERROR [rhodecode.authentication.plugins.auth_ldap] LDAP related exception Traceback (most recent call last): File "/opt/rhodecode/store/p9vr3b65srfrkr4gbag23mpcdkk0xy6w-python2.7-rhodecode-enterprise-ce-4.12.4/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 463, in auth (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password) File "/opt/rhodecode/store/p9vr3b65srfrkr4gbag23mpcdkk0xy6w-python2.7-rhodecode-enterprise-ce-4.12.4/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 338, in authenticate_ldap 'with given password'.format(username)) LdapPasswordError: Failed to authenticate user `serviceaccount`with given password 2019-02-26 16:37:04.385  INFO [rhodecode.authentication.base] Authenticating user `serviceaccount` using egg:rhodecode-enterprise-ce#token plugin 2019-02-26 16:37:04.402  INFO [rhodecode.authentication.plugins.auth_token] user `serviceaccount` successfully authenticated via authtoken 2019-02-26 16:37:04.402  INFO [rhodecode.lib.middleware.simplevcs] MAIN-AUTH successful for user `serviceaccount` from authtoken plugin 2019-02-26 16:37:04.413  INFO [rhodecode.lib.middleware.simplevcs] Access for IP:xxx.xxx.xxx.xxx allowed 2019-02-26 16:37:04.491  INFO [rhodecode.lib.middleware.simplevcs] pull action on hg repo "repogroup/repo" by "serviceaccount" from xxx.xxx.xxx.xxx mercurial/proto-1.0 2019-02-26 16:37:04.500  INFO [rhodecode.lib.middleware.simplevcs] Using HTTP implementation of scm app. 2019-02-26 16:37:04.546  INFO [rhodecode.lib.middleware.request_wrapper] IP: xxx.xxx.xxx.xxx Request to /repogroup/repo time: 0.481s [mercurial/proto-1.0]