[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4063) PPolicy Overlay Problem where slapd bind wrongly expires user password ( before pwdMaxAge time elapses)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4063) PPolicy Overlay Problem where slapd bind wrongly expires user password ( before pwdMaxAge time elapses)
From: ando@sys-net.it
Date: Wed, 5 Oct 2005 08:21:05 GMT

Only reports referring to HEAD or to the latest release are considered. 
Please re-test with 2.3.7 (better with CVS code tagged
OPENLDAP_REL_ENG_2_3, since it's been heavily updated in view of the next
release).

p.

> Full_Name: Shawn McKinney
> Version: 2.3.5
> OS: Redhat Enterprise 4 Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (166.102.160.132)
>
>
> 10-04-2005
>
> Shawn McKinney
> Fidelity Information Services
> 501-220-8788
>
> PPolicy Overlay Problem where slapd bind wrongly expires user password (
> before
> pwdMaxAge time elapses)
>
> This issue occurs inside of Java client program.
>
> OpenLDAP version: 2.3.5
> PPolicy module version: 1.66
> O/S: RHE4
>
> The issue causes binds with slapd client to wrongly expire password.  The
> slapd
> log displays:
>
> conn=1 op=2 BIND dn="cn=6388322161387061686,ou=People,dc=fnfis,dc=com"
> method=128
> => bdb_entry_get: ndn: "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> => bdb_entry_get: found entry:
> "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
> => bdb_entry_get: ndn: "cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> => bdb_entry_get: found entry:
> "cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com"
> ==> bdb_bind: dn: cn=6388322161387061686,ou=People,dc=fnfis,dc=com
> => access_allowed: auth access to
> "cn=6388322161387061686,ou=People,dc=fnfis,dc=com" "userPassword"
> requested
> => acl_get: [1] attr userPassword
> access_allowed: no res from state (userPassword)
> => acl_mask: access to entry
> "cn=6388322161387061686,ou=People,dc=fnfis,dc=com",
> attr "userPassword" requested
> => acl_mask: to value by "", (=0)
> <= check a_dn_pat: self
> <= check a_dn_pat: *
> <= acl_mask: [2] applying auth(=xd) (stop)
> <= acl_mask: [2] mask: auth(=xd)
> => access_allowed: auth access granted by auth(=xd)
> conn=1 op=2 BIND dn="cn=6388322161387061686,ou=People,dc=fnfis,dc=com"
> mech=SIMPLE ssf=0
> send_ldap_result: err=0 matched="" text=""
> => bdb_entry_get: ndn: "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> => bdb_entry_get: found entry:
> "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
> ppolicy_bind: Entry cn=6388322161387061686,ou=People,dc=fnfis,dc=com does
> not
> have valid pwdChangedTime attribute - assuming password expired
> ppolicy_bind: Entry cn=6388322161387061686,ou=People,dc=fnfis,dc=com has
> an
> expired password: 5 grace logins
>
> The PPolicy in effect:
>
> POLICY OBJECT (cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com):
>         name    <policy>
>         pwdCheckQuality=2
>         pwdMaxAge=8640000
>         pwdMinAge=0
>         pwdMinLength=5
>         pwdFailureCountInterval=120
>         pwdMaxFailure=3
>         pwdMustChange=TRUE
>         pwdSafeModify=FALSE
>         pwdInHistory=5
>         pwdGraceAuthNLimit=5
>         pwdLockoutDuration=120
>         pwdAllowUserChange=TRUE
>         pwdExpireWarning=8640000
>         pwdLockout=TRUE
>
>
> My user with the wrongly expired password has the following values for
> operational attributes:
>
> USER OPERATIONAL ATTRIBUTES:
>  userId <6388322161387061686>:
>         name    <6388322161387061686>
>         description    <JUnit Test User 0>
>         orgUnitId    <OrgUnitTree>
>         createTimestamp    <20051004140641Z>
>         modifyTimestamp    <20051004140641Z>
>         creatorsName    <cn=Manager,dc=fnfis,dc=com>
>         modifiersName    <cn=Manager,dc=fnfis,dc=com>
>         subschemaSubentry    <cn=Subschema>
>         pwdPolicySubentry    <null>
>         pwdChangedTime    <null>
>         pwdAccountLockedTime    <null>
>         pwdExpirationWarned    <null>
>         pwdFailureTime    <null>
>         pwdGraceUseTime    <20051004140834Z>
>         pwdReset    <null>
>
>
> Steps to create problem:
>
> 1. password policy overlay is enabled
> 2. Create password policy object in LDAP
> 3. enable directory PPolicy default DN to password policy created step 2
> 3. add user to LDAP
> 4. Bind user to slapd
>
> Hypothesis: The PPolicy overlay module wrongly determines a null pwdReset
> flag
> implies expired password.
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: (ITS#4064) Memory leak in sasl.c (tls.c as well)
Next by Date: Re: (ITS#4062) slaptest segfaults on value selector
Index(es):
- Chronological
- Thread