[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7787) Authentication success if password is expired and password must be changed
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#7787) Authentication success if password is expired and password must be changed
- From: coudot@linagora.com
- Date: Thu, 16 Jan 2014 13:51:38 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Clement OUDOT
Version: 2.4.38
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (83.145.72.122)
Here is the situation : a user account is
1/ expired (the password age is more that the one configured in pwdMaxGae)
2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration
object is TRUE)
In this case, when doing a BIND, the result code is 0:
$ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
ldap_bind: Success (0); Password must be changed (Password expires in 0
seconds)
dn: uid=coudot,ou=users,dc=example,dc=com
If I remove pwdReset attribute, then:
$ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
ldap_bind: Invalid Credentials (49); Password expired
According to password policy draft, the password must change flag should not
affect the BIND result code.