[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7787) Authentication success if password is expired and password must be changed



Full_Name: Clement OUDOT
Version: 2.4.38
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (83.145.72.122)


Here is the situation : a user account is 
1/ expired (the password age is more that the one configured in pwdMaxGae)
2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration
object is TRUE)

In this case, when doing a BIND, the result code is 0:
$ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
ldap_bind: Success (0); Password must be changed (Password expires in 0
seconds)
dn: uid=coudot,ou=users,dc=example,dc=com

If I remove pwdReset attribute, then:
$ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
ldap_bind: Invalid Credentials (49); Password expired

According to password policy draft, the password must change flag should not
affect the BIND result code.