Re: (ITS#3946) PPolicy Overlay - Problem with password reset

[hyc@symas.com]

The original code reset the flag when receiving an Unbind request. The 
previous patch resets the flag whenever a connection closes. From the 
trace you provided, it appears that the connection in question never 
actually gets an Unbind request, and never actually closes. I've 
committed a new patch to reset the lockout flag whenever a Bind request 
is received; this should resolve the issue. Please test rev 1.56.

McKinney, Shawn wrote:
>
> Log trace of failure, step #5 below.  You can see how the rootdn binds 
> to directory:
>
> *** begin 1st error trace ***
> bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
> conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
> send_ldap_result: err=0
> *** end 1st error trace ***
>
> But somehow the userId that has the reset password gets swapped in for 
> the operation the rootDn trys to perform:
>
> *** begin 2nd error trace ***
> conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 
> deref=0 filter="(objectClass=fwuserrole)"
> conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime 
> fwDayMask fwRoleDn fwbegindate fwenddate
> PPOLICY MODULE:  In ppolicy_restrict
> send_ldap_result: err=50 matched="" text="Operations are restricted to 
> bind/unbind/abandon/StartTLS/modify password"
> conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations 
> are restricted to bind/unbind/abandon/StartTLS/modify password
> *** begin 2nd error trace ***
>
-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/