[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3946) PPolicy Overlay - Problem with password reset

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3946) PPolicy Overlay - Problem with password reset
From: hyc@symas.com
Date: Wed, 17 Aug 2005 14:49:35 GMT

A proposed fix is in CVS ppolicy.c rev 1.55, please test. Thanks.

shawn.mckinney@fnf.com wrote:
> Full_Name: Shawn McKinney
> Version: 2.3.5
> OS: Redhat Enterprise 4 Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (65.70.26.183)
>
>
> 08-17-2005
>
> Shawn McKinney
> Fidelity Information Services
>
> PPolicy Overlay Problem with password reset:
>
> This issue occurs inside a Java program that I have written that uses OpenLDAP. 
> The program is a security provider that
> performs authentication, authorization and administration of security objects in
> LDAP.
>
> The issue causes connections inside of an OpenLDAP client to receive this error
> when performing operations:
>
> error result (50); Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password; Insufficient access
>
> This error will occur even when user connected is rootdn.
>
> Steps to create problem:
>
> 1. password policy overlay is enabled
> 2. start client program - secClient
>   - Client program is written in Java and uses Netscape Java Programming API to
> perform LDAP operations.
> 3. Administrator resets user "testUser" password.  
>   - secClient opens LDAP connections with rootdn creds
>   - secClient modifies userPassword attribute on user testUser
>   - secClient modifies pwdReset attribute, sets to "TRUE"
>   - secClient closes connection
> 4. User testUser changes password
>   - secClient opens connection on behalf of user testUser
>   - secClient modifies testUser userPassword attribute
>   - secClient closes connection
> 5. secClient clears pwdReset attribute for user
>   - secClient opens connection on behalf of rootdn
>   - secClient clears testUser pwdReset attribute, to a value of "FALSE"
>   - secClient closes connection.
> 6. Any subsequent client connection to LDAP by any user, on any operation
> creates this error:
>   error result (50); Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password; Insufficient access
>   within the same running client process
>
> Observations:
>   
> 1. Through experimentation, it has been determined that stopping and starting
> slapd will clear up this condition.
>
> 2. After some period of time ( more than 10 minutes ), this condition clears up
> on it's own and the original client program, secClient,
> can again perform LDAP operations w/out problem.  
>
> 3. While slapd is in the errant state, another client program may connect and
> perform operations without receiving 
> the above specified error condition.  But the original client that 1st received
> the error cannot.
>
>
>   


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Prev by Date: (ITS#3946) PPolicy Overlay - Problem with password reset
Next by Date: Re: (ITS#3877) openldapACIValidate patch + legal issues
Index(es):
- Chronological
- Thread