I have a problem with OpenLDAP 2.4.24 and ApacheDirectoryStudio 1.5.3.
I connect to OpenLDAP with a usual user account for who pwdReset is set to TRUE.
And I have the following default password policy:
When opening the connection, I see the following messages in the ApacheDirectoryStudio logs window:
#!SEARCH RESULT DONE (95) ERROR
#!ERROR [LDAP: error code 50 - Operations are restricted to bind/unbind/abandon/StartTLS/modify password]
# numEntries : 0
I can see the Root DSE entry and I can not browse the DIT, but I don't have any popup to explain me that the
user account I use to connect must change his password.
In the OpenLDAP access log, I see the following:
SRCH base="" scope=0 deref=3 filter="(objectClass=*)"
Jul 4 13:55:42 rhvtq slapd: conn=1075 op=1 SRCH attr=subschemaSubentry
Jul 4 13:55:42 rhvtq slapd: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
When testing against a Sun Directory Server 6 with the same data and the same password policy, I get a popup window
on the client side, with the following error, when I try to see the root DSE entry :
[LDAP: error code 53 - Password was reset and must be changed.]
In the Sun DS access log, I have the following:
SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry"
[04/Jul/2011:14:17:53 +0200] conn=51 op=1 msgId=2 - RESULT err=53 tag=101 nentries=0 etime=0, Password was reset and must be changed.
Of course, in both cases, the access control rules are the same and allow access to the root DSE entry at least.
Also, when testing against OpenLDAP with an ldapsearch client with the "-e ppolicy " option, I get the following result:
ldap_bind: Success (0); Password must be changed
Insufficient access (50)
Additional information: Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Is there a way I can configure OpenLDAP or my data to get the same behaviour with ApacheDirectoryStudio ? That is, I'd like
to be clearly notified the user password must be changed. Since I get a 50 error code, has something to be changed in the OpenLDAP access control
If you think it's a client side problem, when using my own custom client applications, what request(s) must be sent to OpenLDAP ?