From mihai.munteanu@thalesgroup.com Fri Oct 27 13:01:56 2017
From: mihai.munteanu@thalesgroup.com
To: openldap-bugs@openldap.org
Subject: Re: (ITS#8762) Unlocking an account doesn't remove pwdFailureTime
Date: Fri, 27 Oct 2017 13:01:46 +0000
Message-ID: <E1e84Gg-0003zL-J0@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5798222417795525492=="

--===============5798222417795525492==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

1. See below the contents of our password policy:

# Search scope: sub

# Search filter: (objectClass=3D*)

# Total entries: 1

#

# Generated by LDAP Account Manager

(http://www.ldap-account-manager.org) on October 27, 2017 10:48 am # Versio=
n: 5.5



version: 1



# Entry 1: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom

dn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom

cn: passwordDefault

createtimestamp: 20171004124029Z

creatorsname: dc=3DManager,dc=3Dthales,dc=3Dcom

entrycsn: 20171004124029.795969Z#000000#000#000000

entrydn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom

entryuuid: f3031268-3d4c-1037-9198-453c4b052276

hassubordinates: FALSE

modifiersname: dc=3DManager,dc=3Dthales,dc=3Dcom

modifytimestamp: 20171004124029Z

objectclass: top

objectclass: device

objectclass: pwdPolicy

objectclass: pwdPolicyChecker

pwdallowuserchange: TRUE

pwdattribute: userPassword

pwdcheckmodule: check_password.so

pwdcheckquality: 2

pwdexpirewarning: 0

pwdfailurecountinterval: 0

pwdgraceauthnlimit: 0

pwdinhistory: 4

pwdlockout: TRUE

pwdlockoutduration: 0

pwdmaxage: 7776000

pwdmaxfailure: 3

pwdminage: 0

pwdminlength: 8

pwdmustchange: FALSE

pwdsafemodify: FALSE

structuralobjectclass: device

subschemasubentry: cn=3DSubschema



-----------------

2. we are using the lamcms from www.ldap-account-manager.org<http://www.lda=
p-account-manager.org>. In the web interface there is a "Unlock account" bu=
tton which we use. I suppose they are using the php ldap_modify() method in=
 order to remove the 'pwdAccountLockedTime' field. Of course, temporary mod=
ifying their sources and trying to remove also the pwdFailureTime generates=
 the following error:

"Was unable to remove attributes from DN: cn=3Dtest1,ou=3Dusers,dc=3Dthales=
,dc=3Dcom.

LDAP error, server says: Constraint violation - pwdFailureTime: no user mod=
ification allowed"

We've contact also guys from ldap-account-manager.org but they said they ca=
n't do anything on their side and suggested to contact you.


Kind regards,
Mihai


--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{mso-style-priority:99;
	mso-style-link:"Plain Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Arial","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Arial","sans-serif";
	color:windowtext;}
span.PlainTextChar
	{mso-style-name:"Plain Text Char";
	mso-style-priority:99;
	mso-style-link:"Plain Text";
	font-family:"Arial","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoPlainText>1. See below =
the contents of our password policy:<o:p></o:p></p><p class=3DMsoPlainText>=
# Search scope: sub<o:p></o:p></p><p class=3DMsoPlainText># Search filter: =
(objectClass=3D*)<o:p></o:p></p><p class=3DMsoPlainText># Total entries: 1<=
o:p></o:p></p><p class=3DMsoPlainText>#<o:p></o:p></p><p class=3DMsoPlainTe=
xt># Generated by LDAP Account Manager<o:p></o:p></p><p class=3DMsoPlainTex=
t>(<a href=3D"http://www.ldap-account-manager.org">http://www.ldap-account-=
manager.org</a>) on October 27, 2017 10:48 am # Version: 5.5<o:p></o:p></p>=
<p class=3DMsoPlainText><o:p>&nbsp;</o:p></p><p class=3DMsoPlainText>versio=
n: 1<o:p></o:p></p><p class=3DMsoPlainText><o:p>&nbsp;</o:p></p><p class=3D=
MsoPlainText># Entry 1: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=
=3Dcom<o:p></o:p></p><p class=3DMsoPlainText>dn: cn=3DpasswordDefault,ou=3D=
policies,dc=3Dthales,dc=3Dcom<o:p></o:p></p><p class=3DMsoPlainText>cn: pas=
swordDefault<o:p></o:p></p><p class=3DMsoPlainText>createtimestamp: 2017100=
4124029Z<o:p></o:p></p><p class=3DMsoPlainText>creatorsname: dc=3DManager,d=
c=3Dthales,dc=3Dcom<o:p></o:p></p><p class=3DMsoPlainText>entrycsn: 2017100=
4124029.795969Z#000000#000#000000<o:p></o:p></p><p class=3DMsoPlainText>ent=
rydn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom<o:p></o:p></p=
><p class=3DMsoPlainText>entryuuid: f3031268-3d4c-1037-9198-453c4b052276<o:=
p></o:p></p><p class=3DMsoPlainText>hassubordinates: FALSE<o:p></o:p></p><p=
 class=3DMsoPlainText>modifiersname: dc=3DManager,dc=3Dthales,dc=3Dcom<o:p>=
</o:p></p><p class=3DMsoPlainText>modifytimestamp: 20171004124029Z<o:p></o:=
p></p><p class=3DMsoPlainText>objectclass: top<o:p></o:p></p><p class=3DMso=
PlainText>objectclass: device<o:p></o:p></p><p class=3DMsoPlainText>objectc=
lass: pwdPolicy<o:p></o:p></p><p class=3DMsoPlainText>objectclass: pwdPolic=
yChecker<o:p></o:p></p><p class=3DMsoPlainText>pwdallowuserchange: TRUE<o:p=
></o:p></p><p class=3DMsoPlainText>pwdattribute: userPassword<o:p></o:p></p=
><p class=3DMsoPlainText>pwdcheckmodule: check_password.so<o:p></o:p></p><p=
 class=3DMsoPlainText>pwdcheckquality: 2<o:p></o:p></p><p class=3DMsoPlainT=
ext>pwdexpirewarning: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdfailurecou=
ntinterval: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdgraceauthnlimit: 0<o=
:p></o:p></p><p class=3DMsoPlainText>pwdinhistory: 4<o:p></o:p></p><p class=
=3DMsoPlainText>pwdlockout: TRUE<o:p></o:p></p><p class=3DMsoPlainText>pwdl=
ockoutduration: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdmaxage: 7776000<=
o:p></o:p></p><p class=3DMsoPlainText>pwdmaxfailure: 3<o:p></o:p></p><p cla=
ss=3DMsoPlainText>pwdminage: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdmin=
length: 8<o:p></o:p></p><p class=3DMsoPlainText>pwdmustchange: FALSE<o:p></=
o:p></p><p class=3DMsoPlainText>pwdsafemodify: FALSE<o:p></o:p></p><p class=
=3DMsoPlainText>structuralobjectclass: device<o:p></o:p></p><p class=3DMsoP=
lainText>subschemasubentry: cn=3DSubschema<o:p></o:p></p><p class=3DMsoPlai=
nText><o:p>&nbsp;</o:p></p><p class=3DMsoPlainText>-----------------<o:p></=
o:p></p><p class=3DMsoPlainText>2. we are using the lamcms from <a href=3D"=
http://www.ldap-account-manager.org">www.ldap-account-manager.org</a>. In t=
he web interface there is a &quot;Unlock account&quot; button which we use.=
 I suppose they are using the php ldap_modify() method in order to remove t=
he 'pwdAccountLockedTime' field. Of course, temporary modifying their sourc=
es and trying to remove also the pwdFailureTime generates the following err=
or: <o:p></o:p></p><p class=3DMsoPlainText>&quot;Was unable to remove attri=
butes from DN: cn=3Dtest1,ou=3Dusers,dc=3Dthales,dc=3Dcom.<o:p></o:p></p><p=
 class=3DMsoPlainText>LDAP error, server says: Constraint violation - pwdFa=
ilureTime: no user modification allowed&quot;<o:p></o:p></p><p class=3DMsoP=
lainText>We've contact also guys from ldap-account-manager.org but they sai=
d they can't do anything on their side and suggested to contact you.<o:p></=
o:p></p><p class=3DMsoNormal><span style=3D'font-family:"Arial","sans-serif=
"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-fam=
ily:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal>=
Kind regards,<o:p></o:p></p><p class=3DMsoNormal>Mihai<o:p></o:p></p><p cla=
ss=3DMsoNormal><o:p>&nbsp;</o:p></p></div></body></html>=

--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_--




--===============5798222417795525492==--