[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: (ITS#3946) PPolicy Overlay - Problem with password reset

To: openldap-its@OpenLDAP.org
Subject: RE: (ITS#3946) PPolicy Overlay - Problem with password reset
From: Shawn.McKinney@fnf.com
Date: Wed, 17 Aug 2005 20:46:32 GMT
Log trace of failure, step #5 below.  You can see how the rootdn binds to directory:

*** begin 1st error trace ***
bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
send_ldap_result: err=0 
*** end 1st error trace ***

But somehow the userId that has the reset password gets swapped in for the operation the rootDn trys to perform:

*** begin 2nd error trace ***
conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 deref=0 filter="(objectClass=fwuserrole)"
conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
PPOLICY MODULE:  In ppolicy_restrict
send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password"
conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
*** begin 2nd error trace ***







*** log of Step # 4:

PPOLICY MODULE:  In ppolicy_bind
==> bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
send_ldap_result: err=0 matched="" text=""
conn=1 op=3 RESULT tag=97 err=0 text=
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
ber_dump: buf=0x085235a0 ptr=0x085235a0 end=0x08523657 len=183
  0000:  02 01 0f 63 81 b1 04 24  75 69 64 3d 62 75 62 62   ...c...$uid=bubb
  0010:  61 31 2c 6f 75 3d 50 65  6f 70 6c 65 2c 64 63 3d   a1,ou=People,dc=
  0020:  66 6e 66 69 73 2c 64 63  3d 63 6f 6d 0a 01 01 0a   fnfis,dc=com....
  0030:  01 00 02 02 03 e8 02 01  00 01 01 00 a3 19 04 0b   ................
  0040:  6f 62 6a 65 63 74 63 6c  61 73 73 04 0a 66 77 75   objectclass..fwu
  0050:  73 65 72 72 6f 6c 65 30  5e 04 02 63 6e 04 09 66   serrole0^..cn..f
  0060:  77 54 69 6d 65 6f 75 74  04 08 66 77 75 73 65 72   wTimeout..fwuser
  0070:  69 64 04 0b 66 77 42 65  67 69 6e 54 69 6d 65 04   id..fwBeginTime.
  0080:  09 66 77 45 6e 64 54 69  6d 65 04 09 66 77 44 61   .fwEndTime..fwDa
  0090:  79 4d 61 73 6b 04 08 66  77 52 6f 6c 65 44 6e 04   yMask..fwRoleDn.
  00a0:  0b 66 77 62 65 67 69 6e  64 61 74 65 04 09 66 77   .fwbegindate..fw
  00b0:  65 6e 64 64 61 74 65                               enddate
daemon: select: listen=6 active_threads=1 tvp=zero
daemon: select: listen=7 active_threads=1 tvp=zero
ber_dump: buf=0x085235a0 ptr=0x085235a3 end=0x08523657 len=180
  0000:  63 81 b1 04 24 75 69 64  3d 62 75 62 62 61 31 2c   c...$uid=bubba1,
  0010:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 66 6e 66   ou=People,dc=fnf
  0020:  69 73 2c 64 63 3d 63 6f  6d 0a 01 01 0a 01 00 02   is,dc=com.......
  0030:  02 03 e8 02 01 00 01 01  00 a3 19 04 0b 6f 62 6a   .............obj
  0040:  65 63 74 63 6c 61 73 73  04 0a 66 77 75 73 65 72   ectclass..fwuser
  0050:  72 6f 6c 65 30 5e 04 02  63 6e 04 09 66 77 54 69   role0^..cn..fwTi
  0060:  6d 65 6f 75 74 04 08 66  77 75 73 65 72 69 64 04   meout..fwuserid.
  0070:  0b 66 77 42 65 67 69 6e  54 69 6d 65 04 09 66 77   .fwBeginTime..fw
  0080:  45 6e 64 54 69 6d 65 04  09 66 77 44 61 79 4d 61   EndTime..fwDayMa
  0090:  73 6b 04 08 66 77 52 6f  6c 65 44 6e 04 0b 66 77   sk..fwRoleDn..fw
  00a0:  62 65 67 69 6e 64 61 74  65 04 09 66 77 65 6e 64   begindate..fwend
  00b0:  64 61 74 65                                        date
SRCH "uid=bubba1,ou=People,dc=fnfis,dc=com" 1 0    1000 0 0
ber_dump: buf=0x085235a0 ptr=0x085235dc end=0x08523657 len=123
  0000:  a3 19 04 0b 6f 62 6a 65  63 74 63 6c 61 73 73 04   ....objectclass.
  0010:  0a 66 77 75 73 65 72 72  6f 6c 65 30 5e 04 02 63   .fwuserrole0^..c
  0020:  6e 04 09 66 77 54 69 6d  65 6f 75 74 04 08 66 77   n..fwTimeout..fw
  0030:  75 73 65 72 69 64 04 0b  66 77 42 65 67 69 6e 54   userid..fwBeginT
  0040:  69 6d 65 04 09 66 77 45  6e 64 54 69 6d 65 04 09   ime..fwEndTime..
  0050:  66 77 44 61 79 4d 61 73  6b 04 08 66 77 52 6f 6c   fwDayMask..fwRol
  0060:  65 44 6e 04 0b 66 77 62  65 67 69 6e 64 61 74 65   eDn..fwbegindate
  0070:  04 09 66 77 65 6e 64 64  61 74 65                  ..fwenddate
    filter: (objectClass=fwuserrole)
ber_dump: buf=0x085235a0 ptr=0x085235f7 end=0x08523657 len=96
  0000:  00 5e 04 02 63 6e 04 09  66 77 54 69 6d 65 6f 75   .^..cn..fwTimeou
  0010:  74 04 08 66 77 75 73 65  72 69 64 04 0b 66 77 42   t..fwuserid..fwB
  0020:  65 67 69 6e 54 69 6d 65  04 09 66 77 45 6e 64 54   eginTime..fwEndT
  0030:  69 6d 65 04 09 66 77 44  61 79 4d 61 73 6b 04 08   ime..fwDayMask..
  0040:  66 77 52 6f 6c 65 44 6e  04 0b 66 77 62 65 67 69   fwRoleDn..fwbegi
  0050:  6e 64 61 74 65 04 09 66  77 65 6e 64 64 61 74 65   ndate..fwenddate
    attrs: cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 deref=0 filter="(objectClass=fwuserrole)"
conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
PPOLICY MODULE:  In ppolicy_restrict
send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password"
conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
daemon: removing 11
conn=0 fd=11 closed
daemon: removing 14
conn=2 fd=14 closed
daemon: removing 15
conn=3 fd=15 closed
daemon: removing 16
conn=4 fd=16 closed
daemon: removing 17
conn=5 fd=17 closed
daemon: removing 18
conn=6 fd=18 closed
daemon: removing 19
conn=7 fd=19 closed
daemon: removing 20
conn=8 fd=20 closed
daemon: removing 21
conn=9 fd=21 closed
daemon: removing 22
conn=10 fd=22 closed



-----Original Message-----
From:	McKinney, Shawn
Sent:	Wed 8/17/2005 2:16 PM
To:	McKinney, Shawn; Howard Chu
Cc:	openldap-its@OpenLDAP.org
Subject:	RE: (ITS#3946) PPolicy Overlay - Problem with password reset
Just one more post, with a minor correction from previous:

Steps to create problem:

1. password policy overlay is enabled
2. start client program - secClient
  - Client program is written in Java and uses Netscape Java Programming API to perform LDAP operations.
3. Administrator resets user "testUser" password.  
  - secClient opens LDAP connections with rootdn creds
  - secClient modifies userPassword attribute on user testUser
  - secClient modifies pwdReset attribute, sets to "TRUE"
  - secClient closes connection
4. User "testUser" binds to directory
  - secClient opens connection, binds as testUser, closes connection
5. Any subsequent client connection to LDAP by any user, on any operation creates this error:
  error result (50); Operations are restricted to bind/unbind/abandon/StartTLS/modify password; Insufficient access
  within the same running client process

Observations:
  
1. Through experimentation, it has been determined that stopping and starting the client program will clear up this condition.

Speculation:

Even after bug fix, there is retained inside ldap connection stale data left from restricted user in previous ldap connection.  This data is retained even after ldap connection is closed, placed back into ldap pool, and opened by different user in subsequent operation.
Prev by Date: Re: missing #ifdef SLAP_ACL in aclparse.c (ITS#3949)
Next by Date: (ITS#3950) sched_yield() considered harmful
Index(es):
- Chronological
- Thread