[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: (ITS#3946) PPolicy Overlay - Problem with password reset
Howard,
You're right, I was returning the connections to the LdapPool w/out closing. Because I always bind new user to connection directly after retrieving a connection from pool, the code seemed to work OK. Not sure what the negative ramifications are for not closing the connections, so I am going to make change to my code to close the connection before returning to pool.
In any case, your latest change has fixed my problem. I very much appreciate you working w/ me on this. Your help has been invaluable to us. We are planning on using OpenLDAP w/ PPolicy overlay in our production Internet Banking servers. Certainly this episode of bug reporting/fixing has boosted our confidence in OpenLDAP and the PPolicy overlay.
Thanks again!!!
Shawn
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, August 18, 2005 12:10 AM
To: McKinney, Shawn
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3946) PPolicy Overlay - Problem with password reset
The original code reset the flag when receiving an Unbind request. The
previous patch resets the flag whenever a connection closes. From the
trace you provided, it appears that the connection in question never
actually gets an Unbind request, and never actually closes. I've
committed a new patch to reset the lockout flag whenever a Bind request
is received; this should resolve the issue. Please test rev 1.56.
McKinney, Shawn wrote:
>
> Log trace of failure, step #5 below. You can see how the rootdn binds
> to directory:
>
> *** begin 1st error trace ***
> bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
> conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
> send_ldap_result: err=0
> *** end 1st error trace ***
>
> But somehow the userId that has the reset password gets swapped in for
> the operation the rootDn trys to perform:
>
> *** begin 2nd error trace ***
> conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1
> deref=0 filter="(objectClass=fwuserrole)"
> conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime
> fwDayMask fwRoleDn fwbegindate fwenddate
> PPOLICY MODULE: In ppolicy_restrict
> send_ldap_result: err=50 matched="" text="Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password"
> conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations
> are restricted to bind/unbind/abandon/StartTLS/modify password
> *** begin 2nd error trace ***
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/