[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7787) Authentication success if password is expired and password must be changed

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7787) Authentication success if password is expired and password must be changed
From: hyc@symas.com
Date: Thu, 16 Jan 2014 14:32:06 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

coudot@linagora.com wrote:
> Full_Name: Clement OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (83.145.72.122)
>
>
> Here is the situation : a user account is
> 1/ expired (the password age is more that the one configured in pwdMaxGae)
> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration
> object is TRUE)
>
> In this case, when doing a BIND, the result code is 0:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Success (0); Password must be changed (Password expires in 0
> seconds)
> dn: uid=coudot,ou=users,dc=example,dc=com
>
> If I remove pwdReset attribute, then:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Invalid Credentials (49); Password expired
>
> According to password policy draft, the password must change flag should not
> affect the BIND result code.

The draft specifies the policy checks in the order in which they are to be 
performed. The PasswordMustBeChanged check occurs before the PasswordExpired 
check.

The code works as designed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7787) Authentication success if password is expired and password must be changed
Next by Date: Re: (ITS#7787) Authentication success if password is expired and password must be changed
Index(es):
- Chronological
- Thread