[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with pwdReset




I have a problem with OpenLDAP 2.4.24 and ApacheDirectoryStudio 1.5.3.
I connect to OpenLDAP with a usual user account for who pwdReset is set to TRUE.
And I have the following default password policy:

dn: cn=default,ou=policies,dc=.....
cn: default
objectClass: top
objectClass: person
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: policy

When opening the connection, I see the following messages in the ApacheDirectoryStudio logs window:

#!SEARCH RESULT DONE (95) ERROR
#!CONNECTION ldap://rhvtq:389
#!DATE 2011-07-04T13:55:42.026
#!ERROR [LDAP: error code 50 - Operations are restricted to bind/unbind/abandon/StartTLS/modify password]
# numEntries : 0

I can see the Root DSE entry and I can not browse the DIT, but I don't have any popup to explain me that the
user account I use to connect must change his password.

In the OpenLDAP access log, I see the following:

SRCH base="" scope=0 deref=3 filter="(objectClass=*)"
Jul  4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SRCH attr=subschemaSubentry
Jul  4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=


When testing against a Sun Directory Server 6 with the same data and the same password policy, I get a popup window
on the client side, with the following error, when I try to see the root DSE entry :

[LDAP: error code 53 - Password was reset and must be changed.]

In the Sun DS access log, I have the following:

 SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry"
[04/Jul/2011:14:17:53 +0200] conn=51 op=1 msgId=2 - RESULT err=53 tag=101 nentries=0 etime=0, Password was reset and must be changed.

Of course, in both cases, the access control rules are the same and allow access to the root DSE entry at least.

Also, when testing against OpenLDAP with an ldapsearch client with the "-e ppolicy " option, I get the following result:

ldap_bind: Success (0); Password must be changed
Insufficient access (50)
Additional information: Operations are restricted to bind/unbind/abandon/StartTLS/modify password


Is there a way I can configure OpenLDAP or my data to get the same behaviour with ApacheDirectoryStudio ? That is, I'd like
to be clearly notified the user password must be changed. Since I get a 50 error code, has something to be changed in the OpenLDAP access control
rules ?

If you think it's a client side problem, when using my own custom client applications, what request(s) must be sent to OpenLDAP ?