[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4063) PPolicy Overlay Problem where slapd bind wrongly expires user password ( before pwdMaxAge time elapses)
Full_Name: Shawn McKinney
Version: 2.3.5
OS: Redhat Enterprise 4 Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (166.102.160.132)
10-04-2005
Shawn McKinney
Fidelity Information Services
501-220-8788
PPolicy Overlay Problem where slapd bind wrongly expires user password ( before
pwdMaxAge time elapses)
This issue occurs inside of Java client program.
OpenLDAP version: 2.3.5
PPolicy module version: 1.66
O/S: RHE4
The issue causes binds with slapd client to wrongly expire password. The slapd
log displays:
conn=1 op=2 BIND dn="cn=6388322161387061686,ou=People,dc=fnfis,dc=com"
method=128
=> bdb_entry_get: ndn: "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: found entry:
"cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
=> bdb_entry_get: ndn: "cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: found entry:
"cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com"
==> bdb_bind: dn: cn=6388322161387061686,ou=People,dc=fnfis,dc=com
=> access_allowed: auth access to
"cn=6388322161387061686,ou=People,dc=fnfis,dc=com" "userPassword" requested
=> acl_get: [1] attr userPassword
access_allowed: no res from state (userPassword)
=> acl_mask: access to entry "cn=6388322161387061686,ou=People,dc=fnfis,dc=com",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: *
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
conn=1 op=2 BIND dn="cn=6388322161387061686,ou=People,dc=fnfis,dc=com"
mech=SIMPLE ssf=0
send_ldap_result: err=0 matched="" text=""
=> bdb_entry_get: ndn: "cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
=> bdb_entry_get: oc: "(null)", at: "(null)"
=> bdb_entry_get: found entry:
"cn=6388322161387061686,ou=people,dc=fnfis,dc=com"
ppolicy_bind: Entry cn=6388322161387061686,ou=People,dc=fnfis,dc=com does not
have valid pwdChangedTime attribute - assuming password expired
ppolicy_bind: Entry cn=6388322161387061686,ou=People,dc=fnfis,dc=com has an
expired password: 5 grace logins
The PPolicy in effect:
POLICY OBJECT (cn=xespasswordpolicy,ou=policies,dc=fnfis,dc=com):
name <policy>
pwdCheckQuality=2
pwdMaxAge=8640000
pwdMinAge=0
pwdMinLength=5
pwdFailureCountInterval=120
pwdMaxFailure=3
pwdMustChange=TRUE
pwdSafeModify=FALSE
pwdInHistory=5
pwdGraceAuthNLimit=5
pwdLockoutDuration=120
pwdAllowUserChange=TRUE
pwdExpireWarning=8640000
pwdLockout=TRUE
My user with the wrongly expired password has the following values for
operational attributes:
USER OPERATIONAL ATTRIBUTES:
userId <6388322161387061686>:
name <6388322161387061686>
description <JUnit Test User 0>
orgUnitId <OrgUnitTree>
createTimestamp <20051004140641Z>
modifyTimestamp <20051004140641Z>
creatorsName <cn=Manager,dc=fnfis,dc=com>
modifiersName <cn=Manager,dc=fnfis,dc=com>
subschemaSubentry <cn=Subschema>
pwdPolicySubentry <null>
pwdChangedTime <null>
pwdAccountLockedTime <null>
pwdExpirationWarned <null>
pwdFailureTime <null>
pwdGraceUseTime <20051004140834Z>
pwdReset <null>
Steps to create problem:
1. password policy overlay is enabled
2. Create password policy object in LDAP
3. enable directory PPolicy default DN to password policy created step 2
3. add user to LDAP
4. Bind user to slapd
Hypothesis: The PPolicy overlay module wrongly determines a null pwdReset flag
implies expired password.