[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#3946) PPolicy Overlay - Problem with password reset


You're right, I was returning the connections to the LdapPool w/out closing.  Because I always bind new user to connection directly after retrieving a connection from pool, the code seemed to work OK.  Not sure what the negative ramifications are for not closing the connections, so I am going to make change to my code to close the connection before returning to pool.

In any case, your latest change has fixed my problem.  I very much appreciate you working w/ me on this.  Your help has been invaluable to us.  We are planning on using OpenLDAP w/ PPolicy overlay in our production Internet Banking servers.  Certainly this episode of bug reporting/fixing has boosted our confidence in OpenLDAP and the PPolicy overlay.

Thanks again!!!


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, August 18, 2005 12:10 AM
To: McKinney, Shawn
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3946) PPolicy Overlay - Problem with password reset

The original code reset the flag when receiving an Unbind request. The 
previous patch resets the flag whenever a connection closes. From the 
trace you provided, it appears that the connection in question never 
actually gets an Unbind request, and never actually closes. I've 
committed a new patch to reset the lockout flag whenever a Bind request 
is received; this should resolve the issue. Please test rev 1.56.

McKinney, Shawn wrote:
> Log trace of failure, step #5 below.  You can see how the rootdn binds 
> to directory:
> *** begin 1st error trace ***
> bdb_bind: dn: cn=Manager,dc=fnfis,dc=com
> conn=1 op=3 BIND dn="cn=Manager,dc=fnfis,dc=com" mech=SIMPLE ssf=0
> send_ldap_result: err=0
> *** end 1st error trace ***
> But somehow the userId that has the reset password gets swapped in for 
> the operation the rootDn trys to perform:
> *** begin 2nd error trace ***
> conn=1 op=4 SRCH base="uid=bubba1,ou=People,dc=fnfis,dc=com" scope=1 
> deref=0 filter="(objectClass=fwuserrole)"
> conn=1 op=4 SRCH attr=cn fwTimeout fwuserid fwBeginTime fwEndTime 
> fwDayMask fwRoleDn fwbegindate fwenddate
> PPOLICY MODULE:  In ppolicy_restrict
> send_ldap_result: err=50 matched="" text="Operations are restricted to 
> bind/unbind/abandon/StartTLS/modify password"
> conn=1 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations 
> are restricted to bind/unbind/abandon/StartTLS/modify password
> *** begin 2nd error trace ***
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/