|
I have a problem
with OpenLDAP 2.4.24 and ApacheDirectoryStudio 1.5.3.
I connect to OpenLDAP with a usual user account for who pwdReset is set to TRUE. And I have the following default password policy: dn: cn=default,ou=policies,dc=..... cn: default objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy When opening the connection, I see the following messages in the ApacheDirectoryStudio logs window: #!SEARCH RESULT DONE (95) ERROR #!CONNECTION ldap://rhvtq:389 #!DATE 2011-07-04T13:55:42.026 #!ERROR [LDAP: error code 50 - Operations are restricted to bind/unbind/abandon/StartTLS/modify password] # numEntries : 0 I can see the Root DSE entry and I can not browse the DIT, but I don't have any popup to explain me that the user account I use to connect must change his password. In the OpenLDAP access log, I see the following: SRCH base="" scope=0 deref=3 filter="(objectClass=*)" Jul 4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SRCH attr=subschemaSubentry Jul 4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= When testing against a Sun Directory Server 6 with the same data and the same password policy, I get a popup window on the client side, with the following error, when I try to see the root DSE entry : [LDAP: error code 53 - Password was reset and must be changed.] In the Sun DS access log, I have the following: SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry" [04/Jul/2011:14:17:53 +0200] conn=51 op=1 msgId=2 - RESULT err=53 tag=101 nentries=0 etime=0, Password was reset and must be changed. Of course, in both cases, the access control rules are the same and allow access to the root DSE entry at least. Also, when testing against OpenLDAP with an ldapsearch client with the "-e ppolicy " option, I get the following result: ldap_bind: Success (0); Password must be changed Insufficient access (50) Additional information: Operations are restricted to bind/unbind/abandon/StartTLS/modify password Is there a way I can configure OpenLDAP or my data to get the same behaviour with ApacheDirectoryStudio ? That is, I'd like to be clearly notified the user password must be changed. Since I get a 50 error code, has something to be changed in the OpenLDAP access control rules ? If you think it's a client side problem, when using my own custom client applications, what request(s) must be sent to OpenLDAP ? |