[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4576) EXOP password modify doesn't reset pwdMustChange in same connection



Full_Name: Andreas Hasenack
Version: 2.3.24
OS: linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.140.247.99)


I have an user with the pwdReset: TRUE flag set, and my default policy mandates
password changes in this condition (pwdMustChange: TRUE). These conditions are
working:

$ ldapwhoami -x -e ppolicy -D uid=john,ou=people,dc=example,dc=com -w secret
ldap_bind: Success (0); Password must be changed
dn:uid=john,ou=People,dc=example,dc=com
Result: Success (0)

To reproduce the problem, I made a python script which binds as this user, sends
an exop password change and then replaces an attribute (shadowLastChange). The
password change works, but the attribute update doesn't:

Jun  2 18:52:24 cs4 slapd[11017]: conn=230 fd=23 ACCEPT from IP=10.0.2.177:3435
(IP=0.0.0.0:389)
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=0 BIND
dn="uid=john,ou=people,dc=example,dc=com" method=128
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=0 BIND
dn="uid=john,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=0 RESULT tag=97 err=0 text=
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=1 PASSMOD
id="uid=john,ou=people,dc=example,dc=com" old new
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=2 MOD
dn="uid=john,ou=people,dc=example,dc=com"
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=2 MOD attr=shadowLastChange
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=1 RESULT oid= err=0 text=
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=2 RESULT tag=103 err=50
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 op=3 UNBIND
Jun  2 18:52:24 cs4 slapd[11017]: conn=230 fd=23 closed

Script running:
$ ./exop+change.py
Binding
Sending exop
Updating shadowLastChange
Traceback (most recent call last):
(...)
ldap.INSUFFICIENT_ACCESS: {'info': 'Operations are restricted to
bind/unbind/abandon/StartTLS/modify password', 'desc': 'Insufficient access'}

The relevant script part is:
ld = ldap.initialize(SERVER_URI)
ld.protocol_version = ldap.VERSION3

print "Binding"
res = ld.bind_s(binddn, oldpassword, ldap.AUTH_SIMPLE)

print "Sending exop"
res = ld.passwd(binddn, oldpassword, newpassword)

print "Updating shadowLastChange"
modlist = [(ldap.MOD_REPLACE, "shadowLastChange", "20000")]
res = ld.modify_s("uid=john,ou=people,dc=example,dc=com", modlist)

So, it seems that when changing the password via EXOP does not reset the
password changed condition for the same connection, because a subsequent write
doesn't work (nor would a search for that matter).