Hi,

What you are seeing here is the password cache in the Fan-Out Core Driver.
The core driver has several caches which are mainly in place for things
like webservers that authenticate every object on the page, etc. That gets
real expensive if you are doing an ldap context search and password chack
every time. So the core driver has several caches including a password
cache with a default timeout of 120 seconds. This cache is
case-insensitive and thus the behavior you see.

So, things are functioning as designed, and I'm not quite sure what could
be done to the core driver to "fix" this issue. You can adjust the cache
timeout in iManger. Go to Fan-Out Driver Configuration, Configure Core
Driver. Click the name of the core driver and change Cache Entry Time To Live.

Jeff

> After applying configuration to force case sensitivity within eDirectory,
> and even putting on the latest hotfix for crypt (MD5 support), I've
> discovered that the something to do with pam_ascauth.so or asampsp ignores
> case sensitivity for a period of time after an initial successful
> authentication. I'm in the Provo area and my lab is running virtually on my
> laptop. I can bring it to anyone there who needs to see it but I am
> confident that anyone running the Fanout on linux will see this bug as we
> have demonstrated it in two separate labs.
>
> Here is the scenario:
> 1) I have the pam_ascauth.so module inbedded in my /etc/pam.d/sshd file so
> that SSH authentication uses the module:
> auth required /lib/security/pam_ascauth.so stats debug
>
> 2) When I ssh to the workstation, I'm prompted with the default 'eDir
> Password:' prompt. I type the password with at least one character of
> inverted case. The authentication fails. (It is important to note that the
> module does indeed honor case until authentication completes).
>
> 3) On the next password attempt I type the password correctly (with proper
> case) and I am authenticated. I exit my session.
>
> 4) If ssh again to the box with another session after having authenticated
> once, the system will let me in regardless of the case supplied.
>
> 5) The system will continue in this mode until some sort of timed 'reset'
> occurs. What I mean by this is that for the next 5 minutes (in my SuSE lab)
> I can authenticate using my password with bad case.
>
> ****What doesn't work to fix this****
> In my testing I've been able to demonstrate that resetting the asampsp
> process does not clear the condition:
> -When the caseless condition was present, I killed the asampsp process and
> then restarted the asampsp process anew. The caseless condition still
> exists until the timeout/reset enacted.
>
> In my testing I've been able to demonstrate that resetting eDir/ndsd does
> not clear the condition:
> -When the caseless condition was present, I stopped the ndsd process and
> then started the ndsd process anew. The caseless condition still exists
> until the timeout/reset enacted.
>
> ****Notes on lab environments****
> I'm running eDir on SLES 9 with the fanout going to a workstation running
> Novell Desktop Linux. This situation has also been replicated in a lab
> running all RedHat although the 'reset' condition appears to take longer
> than 5 minutes.
>
> ****Logs****
> linuxdesk:~ # echo newmarkerstart >> /var/log/messages
> linuxdesk:~ # echo `date` >> /var/log/messages
> linuxdesk:~ # ssh cschmoe@localhost
> eDir Password:
> eDir Password:
> Last login: Sun Apr 16 17:52:26 2006 from localhost
> cschmoe@linuxdesk:~> exit
> logout
> Connection to localhost closed.
> linuxdesk:~ # ssh cschmoe@localhost
> eDir Password:
> Last login: Sun Apr 16 17:56:18 2006 from localhost
> cschmoe@linuxdesk:~> exit
> logout
> Connection to localhost closed.
> linuxdesk:~ # echo newmarkerstop >> /var/log/messages
> linuxdesk:~ # echo `date` >> /var/log/messages
>
> newmarkerstart
> Sun Apr 16 17:55:57 MDT 2006
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: service=sshd, user=cschmoe, flags=0
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: root_ok=1
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: using default search path
> Apr 16 17:56:03 linuxdesk asampsp[3563]: LWS0029I <1075952560> Client
> request started from 127.0.0.1 on port 1263. gls66
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_user_exclude: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_check_product_expired: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:03 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: product expired code is 0 (Success)
> Apr 16 17:56:08 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I asc_checkpass:
> okay
> Apr 16 17:56:08 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:08 linuxdesk asampsp[3563]: LWS0033I <1075952560> Client
> request: POST /api HTTP/1.1. ghs409
> Apr 16 17:56:08 linuxdesk sshd[4385]: ASP0001I AUTHSTAT VERIFYPASSWD
> user=cschmoe rc=1 (Action not successful) [0.03, 0.00, 0.00]
> Apr 16 17:56:08 linuxdesk sshd[4385]: [ascauth-PAM] asc_checkpass: auth
> server code=1 (Action not successful)
> Apr 16 17:56:08 linuxdesk sshd[4385]: [ascauth-PAM] asc_checkpass:
> disabled=0, expire days=0
> Apr 16 17:56:08 linuxdesk sshd[4385]: ASP0005E asc_checkpass:
> authentication error=1 (Action not successful)
> Apr 16 17:56:08 linuxdesk sshd[4385]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: auth err=7 (Authentication failure)
> Apr 16 17:56:08 linuxdesk sshd[4383]: error: PAM: Authentication failure
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: service=sshd, user=cschmoe, flags=0
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: root_ok=1
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: using default search path
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_user_exclude: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_check_product_expired: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:08 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: product expired code is 0 (Success)
> Apr 16 17:56:08 linuxdesk asampsp[3563]: LWS0029I <1076358064> Client
> request started from 127.0.0.1 on port 1265. gls66
> Apr 16 17:56:08 linuxdesk asampsp[3563]: LWS0032I <1075952560> Client
> request has ended. gl474
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I asc_checkpass:
> okay
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:18 linuxdesk asampsp[3563]: LWS0033I <1076358064> Client
> request: POST /api HTTP/1.1. ghs409
> Apr 16 17:56:18 linuxdesk sshd[4387]: ASP0001I AUTHSTAT VERIFYPASSWD
> user=cschmoe rc=0 (Action successful) [0.01, 0.00, 0.00]
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] asc_checkpass: auth
> server code=0 (Action successful)
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] asc_checkpass:
> disabled=0, expire days=0
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:18 linuxdesk sshd[4387]: cschmoe's password has been reset.
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:18 linuxdesk sshd[4387]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: user cschmoe ok
> Apr 16 17:56:18 linuxdesk sshd[4383]: Accepted keyboard-interactive/pam for
> cschmoe from ::ffff:127.0.0.1 port 1262 ssh2
> Apr 16 17:56:20 linuxdesk asampsp[3563]: LWS0032I <1076358064> Client
> request has ended. gl474
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: service=sshd, user=cschmoe, flags=0
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: root_ok=1
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: using default search path
> Apr 16 17:56:24 linuxdesk asampsp[3563]: LWS0029I <1076358064> Client
> request started from 127.0.0.1 on port 1268. gls66
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_user_exclude: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_check_product_expired: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:24 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: product expired code is 0 (Success)
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I asc_checkpass:
> okay
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:26 linuxdesk asampsp[3563]: LWS0033I <1076358064> Client
> request: POST /api HTTP/1.1. ghs409
> Apr 16 17:56:26 linuxdesk sshd[4412]: ASP0001I AUTHSTAT VERIFYPASSWD
> user=cschmoe rc=0 (Action successful) [0.01, 0.00, 0.00]
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] asc_checkpass: auth
> server code=0 (Action successful)
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] asc_checkpass:
> disabled=0, expire days=0
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:26 linuxdesk sshd[4412]: cschmoe's password has been reset.
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> asc_initialize: okay
> Apr 16 17:56:26 linuxdesk sshd[4412]: [ascauth-PAM] ASP0010I
> pam_sm_authenticate: user cschmoe ok
> Apr 16 17:56:26 linuxdesk sshd[4410]: Accepted keyboard-interactive/pam for
> cschmoe from ::ffff:127.0.0.1 port 1267 ssh2
> Apr 16 17:56:27 linuxdesk asampsp[3563]: LWS0032I <1076358064> Client
> request has ended. gl474
> newmarkerstop
> Sun Apr 16 17:56:38 MDT 2006
>