error in network service after one wrong login

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: error in network service after one wrong login

Post by davidkillingsworth »

I am also getting this for users that are on our internal network while using Zimbra through the web GUI.

It's only occasionally and for random users.
Here is the error:
external LDAP auth failed, LDAP error: - unable to ldap authenticate: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1;
Here is my zimbra config related to this.

Code: Select all

zimbra@zimbra:~/log$ zmprov gacf |grep -i InvalidLoginFilter
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 15
zimbraInvalidLoginFilterMaxFailedLogin: 10
zimbraInvalidLoginFilterMaxSizeOfFailedIpDb: 7000
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5

Code: Select all

zimbra@zimbra:~/log$ zmprov gacf |grep -i zimbraHttpDosFilter
zimbraHttpDosFilterDelayMillis: -1
zimbraHttpDosFilterMaxRequestsPerSec: 30
What was the fix for this? I don't want to turn off the filtering, but I don't want internal valid users being blocked from logging in.

Thanks,
David
Top
User avatar
BruceW
Posts: 5
Joined: Tue Jan 09, 2018 6:27 pm

Re: error in network service after one wrong login

Post by BruceW »

I, too , experience this from time to time with NE instance. Was there any solution? Did increasing the zimbraInvalidLoginFilterMaxFailedLogin work?
Top
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: error in network service after one wrong login

Post by davidkillingsworth »

BruceW wrote:I, too , experience this from time to time with NE instance. Was there any solution? Did increasing the zimbraInvalidLoginFilterMaxFailedLogin work?
I believe that you need to whitelist any IP addresses or networks that you don't want to be filtered.

To show the current whitelist

Code: Select all

zimbra@zimbra:~$ zmprov gcf zimbraHttpThrottleSafeIPs
To add IP address or networks in CIDR format

Code: Select all

zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 223.232.129.201
zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 201.58.38.113
zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 172.33.5.0/24
See the WIKI document on this here https://wiki.zimbra.com/wiki/DoSFilter
Top
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:
Contact maxxer

Re: error in network service after one wrong login

Post by maxxer »

davidkillingsworth wrote: To add IP address or networks in CIDR format

Code: Select all

zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 223.232.129.201
zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 201.58.38.113
zimbra@zimbra:~$ zmprov mcf zimbraHttpThrottleSafeIPs 172.33.5.0/24
This is not correct: IPs must be added with + (and it can be run with a single command). That is:

Code: Select all

zimbra@zimbra:~$ zmprov mcf +zimbraHttpThrottleSafeIPs 223.232.129.201 \
+zimbraHttpThrottleSafeIPs 201.58.38.113 \
+zimbraHttpThrottleSafeIPs 172.33.5.0/24
EDIT: apologise, on older ZCS version it's possible without +

https://wiki.zimbra.com/wiki/DoSFilter# ... 7_or_above
Top
Post Reply

Return to “Administrators”