[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: (ITS#3946) PPolicy Overlay - Problem with password reset
Log trace of failure, step #5 below. You can see how the rootdn binds to directory:
*** begin 1st error trace ***
bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
send_ldap_result: err=0
*** end 1st error trace ***
But somehow the userId that has the reset password gets swapped in for the operation the rootDn trys to perform:
*** begin 2nd error trace ***
conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 deref=0 filter="(objectClass=fwuserrole)"
conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
PPOLICY MODULE: In ppolicy_restrict
send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password"
conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
*** begin 2nd error trace ***
*** log of Step # 4:
PPOLICY MODULE: In ppolicy_bind
==> bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
send_ldap_result: err=0 matched="" text=""
conn=1 op=3 RESULT tag=97 err=0 text=
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
ber_dump: buf=0x085235a0 ptr=0x085235a0 end=0x08523657 len=183
0000: 02 01 0f 63 81 b1 04 24 75 69 64 3d 62 75 62 62 ...c...$uid=bubb
0010: 61 31 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d a1,ou=People,dc=
0020: 66 6e 66 69 73 2c 64 63 3d 63 6f 6d 0a 01 01 0a fnfis,dc=com....
0030: 01 00 02 02 03 e8 02 01 00 01 01 00 a3 19 04 0b ................
0040: 6f 62 6a 65 63 74 63 6c 61 73 73 04 0a 66 77 75 objectclass..fwu
0050: 73 65 72 72 6f 6c 65 30 5e 04 02 63 6e 04 09 66 serrole0^..cn..f
0060: 77 54 69 6d 65 6f 75 74 04 08 66 77 75 73 65 72 wTimeout..fwuser
0070: 69 64 04 0b 66 77 42 65 67 69 6e 54 69 6d 65 04 id..fwBeginTime.
0080: 09 66 77 45 6e 64 54 69 6d 65 04 09 66 77 44 61 .fwEndTime..fwDa
0090: 79 4d 61 73 6b 04 08 66 77 52 6f 6c 65 44 6e 04 yMask..fwRoleDn.
00a0: 0b 66 77 62 65 67 69 6e 64 61 74 65 04 09 66 77 .fwbegindate..fw
00b0: 65 6e 64 64 61 74 65 enddate
daemon: select: listen=6 active_threads=1 tvp=zero
daemon: select: listen=7 active_threads=1 tvp=zero
ber_dump: buf=0x085235a0 ptr=0x085235a3 end=0x08523657 len=180
0000: 63 81 b1 04 24 75 69 64 3d 62 75 62 62 61 31 2c c...$uid=bubba1,
0010: 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 66 6e 66 ou=People,dc=fnf
0020: 69 73 2c 64 63 3d 63 6f 6d 0a 01 01 0a 01 00 02 is,dc=com.......
0030: 02 03 e8 02 01 00 01 01 00 a3 19 04 0b 6f 62 6a .............obj
0040: 65 63 74 63 6c 61 73 73 04 0a 66 77 75 73 65 72 ectclass..fwuser
0050: 72 6f 6c 65 30 5e 04 02 63 6e 04 09 66 77 54 69 role0^..cn..fwTi
0060: 6d 65 6f 75 74 04 08 66 77 75 73 65 72 69 64 04 meout..fwuserid.
0070: 0b 66 77 42 65 67 69 6e 54 69 6d 65 04 09 66 77 .fwBeginTime..fw
0080: 45 6e 64 54 69 6d 65 04 09 66 77 44 61 79 4d 61 EndTime..fwDayMa
0090: 73 6b 04 08 66 77 52 6f 6c 65 44 6e 04 0b 66 77 sk..fwRoleDn..fw
00a0: 62 65 67 69 6e 64 61 74 65 04 09 66 77 65 6e 64 begindate..fwend
00b0: 64 61 74 65 date
SRCH "uid=bubba1,ou=People,dc=fnfis,dc=com" 1 0 1000 0 0
ber_dump: buf=0x085235a0 ptr=0x085235dc end=0x08523657 len=123
0000: a3 19 04 0b 6f 62 6a 65 63 74 63 6c 61 73 73 04 ....objectclass.
0010: 0a 66 77 75 73 65 72 72 6f 6c 65 30 5e 04 02 63 .fwuserrole0^..c
0020: 6e 04 09 66 77 54 69 6d 65 6f 75 74 04 08 66 77 n..fwTimeout..fw
0030: 75 73 65 72 69 64 04 0b 66 77 42 65 67 69 6e 54 userid..fwBeginT
0040: 69 6d 65 04 09 66 77 45 6e 64 54 69 6d 65 04 09 ime..fwEndTime..
0050: 66 77 44 61 79 4d 61 73 6b 04 08 66 77 52 6f 6c fwDayMask..fwRol
0060: 65 44 6e 04 0b 66 77 62 65 67 69 6e 64 61 74 65 eDn..fwbegindate
0070: 04 09 66 77 65 6e 64 64 61 74 65 ..fwenddate
filter: (objectClass=fwuserrole)
ber_dump: buf=0x085235a0 ptr=0x085235f7 end=0x08523657 len=96
0000: 00 5e 04 02 63 6e 04 09 66 77 54 69 6d 65 6f 75 .^..cn..fwTimeou
0010: 74 04 08 66 77 75 73 65 72 69 64 04 0b 66 77 42 t..fwuserid..fwB
0020: 65 67 69 6e 54 69 6d 65 04 09 66 77 45 6e 64 54 eginTime..fwEndT
0030: 69 6d 65 04 09 66 77 44 61 79 4d 61 73 6b 04 08 ime..fwDayMask..
0040: 66 77 52 6f 6c 65 44 6e 04 0b 66 77 62 65 67 69 fwRoleDn..fwbegi
0050: 6e 64 61 74 65 04 09 66 77 65 6e 64 64 61 74 65 ndate..fwenddate
attrs: cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 deref=0 filter="(objectClass=fwuserrole)"
conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime fwDayMask fwRoleDn fwbegindate fwenddate
PPOLICY MODULE: In ppolicy_restrict
send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password"
conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
daemon: removing 11
conn=0 fd=11 closed
daemon: removing 14
conn=2 fd=14 closed
daemon: removing 15
conn=3 fd=15 closed
daemon: removing 16
conn=4 fd=16 closed
daemon: removing 17
conn=5 fd=17 closed
daemon: removing 18
conn=6 fd=18 closed
daemon: removing 19
conn=7 fd=19 closed
daemon: removing 20
conn=8 fd=20 closed
daemon: removing 21
conn=9 fd=21 closed
daemon: removing 22
conn=10 fd=22 closed
-----Original Message-----
From: McKinney, Shawn
Sent: Wed 8/17/2005 2:16 PM
To: McKinney, Shawn; Howard Chu
Cc: openldap-its@OpenLDAP.org
Subject: RE: (ITS#3946) PPolicy Overlay - Problem with password reset
Just one more post, with a minor correction from previous:
Steps to create problem:
1. password policy overlay is enabled
2. start client program - secClient
- Client program is written in Java and uses Netscape Java Programming API to perform LDAP operations.
3. Administrator resets user "testUser" password.
- secClient opens LDAP connections with rootdn creds
- secClient modifies userPassword attribute on user testUser
- secClient modifies pwdReset attribute, sets to "TRUE"
- secClient closes connection
4. User "testUser" binds to directory
- secClient opens connection, binds as testUser, closes connection
5. Any subsequent client connection to LDAP by any user, on any operation creates this error:
error result (50); Operations are restricted to bind/unbind/abandon/StartTLS/modify password; Insufficient access
within the same running client process
Observations:
1. Through experimentation, it has been determined that stopping and starting the client program will clear up this condition.
Speculation:
Even after bug fix, there is retained inside ldap connection stale data left from restricted user in previous ldap connection. This data is retained even after ldap connection is closed, placed back into ldap pool, and opened by different user in subsequent operation.