in DevOps

Whoops. Account lockouts baaaaaaad!

So I found one downside to using this AD/LDAP configuration. Ok, not really a downside, just a really big caveat. The account used for binding to the LDAP server can get locked out if it authenticates too many times with the wrong password. Discovered this yesterday when I inadvertently changed the password in my configuration while doing some other testing of search options. When things started mysteriously failing soon after, I thought I’d broken my search configuration.


So what did we learn? Be very careful with your bind password. Because of how often we’re binding to the domain controller (and because the bind user is subject to AD policies), it’d be very easy to completely disable your entire authentication environment if you mess this up. Wondering if there’s an alternative way for us to bind to the domain controller, such as using a public/private key instead. New things to investigate.

Travis Campbell
Staff Systems Engineer at ghostar
Travis Campbell is a seasoned Linux Systems Engineer with nearly two decades of experience, ranging from dozens to tens of thousands of systems in the semiconductor industry, higher education, and high volume sites on the web. His current focus is on High Performance Computing, Big Data environments, and large scale web architectures.