[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3946) PPolicy Overlay - Problem with password reset



Full_Name: Shawn McKinney
Version: 2.3.5
OS: Redhat Enterprise 4 Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.70.26.183)


08-17-2005

Shawn McKinney
Fidelity Information Services

PPolicy Overlay Problem with password reset:

This issue occurs inside a Java program that I have written that uses OpenLDAP. 
The program is a security provider that
performs authentication, authorization and administration of security objects in
LDAP.

The issue causes connections inside of an OpenLDAP client to receive this error
when performing operations:

error result (50); Operations are restricted to
bind/unbind/abandon/StartTLS/modify password; Insufficient access

This error will occur even when user connected is rootdn.

Steps to create problem:

1. password policy overlay is enabled
2. start client program - secClient
  - Client program is written in Java and uses Netscape Java Programming API to
perform LDAP operations.
3. Administrator resets user "testUser" password.  
  - secClient opens LDAP connections with rootdn creds
  - secClient modifies userPassword attribute on user testUser
  - secClient modifies pwdReset attribute, sets to "TRUE"
  - secClient closes connection
4. User testUser changes password
  - secClient opens connection on behalf of user testUser
  - secClient modifies testUser userPassword attribute
  - secClient closes connection
5. secClient clears pwdReset attribute for user
  - secClient opens connection on behalf of rootdn
  - secClient clears testUser pwdReset attribute, to a value of "FALSE"
  - secClient closes connection.
6. Any subsequent client connection to LDAP by any user, on any operation
creates this error:
  error result (50); Operations are restricted to
bind/unbind/abandon/StartTLS/modify password; Insufficient access
  within the same running client process

Observations:
  
1. Through experimentation, it has been determined that stopping and starting
slapd will clear up this condition.

2. After some period of time ( more than 10 minutes ), this condition clears up
on it's own and the original client program, secClient,
can again perform LDAP operations w/out problem.  

3. While slapd is in the errant state, another client program may connect and
perform operations without receiving 
the above specified error condition.  But the original client that 1st received
the error cannot.