[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7787) Authentication success if password is expired and password must be changed

coudot@linagora.com wrote:
> Full_Name: Clement OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Here is the situation : a user account is
> 1/ expired (the password age is more that the one configured in pwdMaxGae)
> 2/ must be reset (pwdReset is TRUE and pwdMustChange in ppolicy configuration
> object is TRUE)
> In this case, when doing a BIND, the result code is 0:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Success (0); Password must be changed (Password expires in 0
> seconds)
> dn: uid=coudot,ou=users,dc=example,dc=com
> If I remove pwdReset attribute, then:
> $ ldapwhoami -x -D uid=coudot,ou=users,dc=example,dc=com -w secret -e ppolicy
> ldap_bind: Invalid Credentials (49); Password expired
> According to password policy draft, the password must change flag should not
> affect the BIND result code.

The draft specifies the policy checks in the order in which they are to be 
performed. The PasswordMustBeChanged check occurs before the PasswordExpired 

The code works as designed.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/