[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with pwdReset

2011/7/4 Cyril Grosjean <cgrosjean@janua.fr>:
> I have a problem with OpenLDAP 2.4.24 and ApacheDirectoryStudio 1.5.3.
> I connect to OpenLDAP with a usual user account for who pwdReset is set to
> And I have the following default password policy:
> dn: cn=default,ou=policies,dc=.....
> cn: default
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 0
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 0
> pwdMaxAge: 0
> pwdMaxFailure: 0
> pwdMinAge: 0
> pwdMinLength: 8
> pwdMustChange: TRUE
> pwdSafeModify: FALSE
> sn: policy
> When opening the connection, I see the following messages in the
> ApacheDirectoryStudio logs window:
> #!CONNECTION ldap://rhvtq:389
> #!DATE 2011-07-04T13:55:42.026
> #!ERROR [LDAP: error code 50 - Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password]
> # numEntries : 0
> I can see the Root DSE entry and I can not browse the DIT, but I don't have
> any popup to explain me that the
> user account I use to connect must change his password.
> In the OpenLDAP access log, I see the following:
> SRCH base="" scope=0 deref=3 filter="(objectClass=*)"
> Jul  4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SRCH
> attr=subschemaSubentry
> Jul  4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> When testing against a Sun Directory Server 6 with the same data and the
> same password policy, I get a popup window
> on the client side, with the following error, when I try to see the root DSE
> entry :
> [LDAP: error code 53 - Password was reset and must be changed.]
> In the Sun DS access log, I have the following:
>  SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry"
> [04/Jul/2011:14:17:53 +0200] conn=51 op=1 msgId=2 - RESULT err=53 tag=101
> nentries=0 etime=0, Password was reset and must be changed.
> Of course, in both cases, the access control rules are the same and allow
> access to the root DSE entry at least.
> Also, when testing against OpenLDAP with an ldapsearch client with the "-e
> ppolicy " option, I get the following result:
> ldap_bind: Success (0); Password must be changed
> Insufficient access (50)
> Additional information: Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password
> Is there a way I can configure OpenLDAP or my data to get the same behaviour
> with ApacheDirectoryStudio ? That is, I'd like
> to be clearly notified the user password must be changed. Since I get a 50
> error code, has something to be changed in the OpenLDAP access control
> rules ?
> If you think it's a client side problem, when using my own custom client
> applications, what request(s) must be sent to OpenLDAP ?

Hi Cyril,

password policy is very implementation specific. I noticed also some
differences between OpenLDAP and SUN implementation. For example, when
using password policy and doing a wrong authentication, OpenLDAP sends
the password policy control back with the bind response (with error
49), and SUN do not (it only send back the bind response without
ppolicy control).

For your problem, you need to manage it on client side : if you use
the password policy control, both OpenLDAP and SUN will return back
the password policy control with the flag "password must be reset",
the only difference is that the main error code is not the same (50
for OpenLDAP, 53 for SUN). Just test the ppolicy control in this case.