[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7787) Authentication success if password is expired and password must be changed
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7787) Authentication success if password is expired and password must be changed
- From: hyc@symas.com
- Date: Thu, 16 Jan 2014 14:32:06 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
coudot@linagora.com wrote:
> Full_Name: Clement OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (83.145.72.122)
>
>
> Here is the situation : a user account is
> 1/ expired (the password age is more that the one configured in pwdMaxGae)
> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration
> object is TRUE)
>
> In this case, when doing a BIND, the result code is 0:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Success (0); Password must be changed (Password expires in 0
> seconds)
> dn: uid=coudot,ou=users,dc=example,dc=com
>
> If I remove pwdReset attribute, then:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Invalid Credentials (49); Password expired
>
> According to password policy draft, the password must change flag should not
> affect the BIND result code.
The draft specifies the policy checks in the order in which they are to be
performed. The PasswordMustBeChanged check occurs before the PasswordExpired
check.
The code works as designed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/