[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4576) EXOP password modify doesn't reset pwdMustChange in same connection
Full_Name: Andreas Hasenack
Version: 2.3.24
OS: linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.140.247.99)
I have an user with the pwdReset: TRUE flag set, and my default policy mandates
password changes in this condition (pwdMustChange: TRUE). These conditions are
working:
$ ldapwhoami -x -e ppolicy -D uid=john,ou=people,dc=example,dc=com -w secret
ldap_bind: Success (0); Password must be changed
dn:uid=john,ou=People,dc=example,dc=com
Result: Success (0)
To reproduce the problem, I made a python script which binds as this user, sends
an exop password change and then replaces an attribute (shadowLastChange). The
password change works, but the attribute update doesn't:
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 fd=23 ACCEPT from IP=10.0.2.177:3435
(IP=0.0.0.0:389)
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=0 BIND
dn="uid=john,ou=people,dc=example,dc=com" method=128
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=0 BIND
dn="uid=john,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=0 RESULT tag=97 err=0 text=
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=1 PASSMOD
id="uid=john,ou=people,dc=example,dc=com" old new
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=2 MOD
dn="uid=john,ou=people,dc=example,dc=com"
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=2 MOD attr=shadowLastChange
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=1 RESULT oid= err=0 text=
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=2 RESULT tag=103 err=50
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 op=3 UNBIND
Jun 2 18:52:24 cs4 slapd[11017]: conn=230 fd=23 closed
Script running:
$ ./exop+change.py
Binding
Sending exop
Updating shadowLastChange
Traceback (most recent call last):
(...)
ldap.INSUFFICIENT_ACCESS: {'info': 'Operations are restricted to
bind/unbind/abandon/StartTLS/modify password', 'desc': 'Insufficient access'}
The relevant script part is:
ld = ldap.initialize(SERVER_URI)
ld.protocol_version = ldap.VERSION3
print "Binding"
res = ld.bind_s(binddn, oldpassword, ldap.AUTH_SIMPLE)
print "Sending exop"
res = ld.passwd(binddn, oldpassword, newpassword)
print "Updating shadowLastChange"
modlist = [(ldap.MOD_REPLACE, "shadowLastChange", "20000")]
res = ld.modify_s("uid=john,ou=people,dc=example,dc=com", modlist)
So, it seems that when changing the password via EXOP does not reset the
password changed condition for the same connection, because a subsequent write
doesn't work (nor would a search for that matter).