(ITS#4970) Problem between pwdReset and pwdMinAge - openldap-bugs

17 May 2007


      Full_Name: Pierre-Yves Bonnetain
Version: 2.3.35
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.41.162.162)
There is something "forgotten" in ppolicy overlay code. When pwdReset is set to
TRUE, the user is properly asked to change his password. BUT if the (admin-made)
previous password change is newer than pwdMinAge, the requested password change
will be rejected with a "password too young" message :
-----------
$ ssh somehost -l someuser
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Constraint violation
Password is too young to change
-----------
The pwdMinAge parameter should be ignored when pwdReset is set, otherwise the
user will effectively be locked out of his account while waiting for the minimum
delay to expire.
Here is a patch to correct this behavior. Proposed patch may not adhere to
coding standards and such, so feel free to enhance it as needed .
*** ppolicy.old 2007-02-08 13:31:24.000000000 +0100
--- ppolicy.c   2007-05-17 17:10:39.000000000 +0200
***************
*** 1696,1710 ****
                time_t pwtime = (time_t)-1, now;
                int age;
!               if ((pa = attr_find( e->e_attrs, ad_pwdChangedTime )) != NULL)
!                       pwtime = parse_time( pa->a_nvals[0].bv_val );
!               now = slap_get_time();
!               age = (int)(now - pwtime);
!               if ((pwtime != (time_t)-1) && (age < pp.pwdMinAge)) {
!                       rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
!                       rs->sr_text = "Password is too young to change";
!                       pErr = PP_passwordTooYoung;
!                       goto return_results;
                }
        }
--- 1696,1716 ----
                time_t pwtime = (time_t)-1, now;
                int age;
!               /* Py Bonnetain, B&A Consultants : We DON'T CARE for minAge if
pwdReset
!                  is set. */
!               if ((pa = attr_find( e->e_attrs, ad_pwdReset )) == NULL ||
!                   ! bvmatch( &pa->a_nvals[0], &slap_true_bv) ) {
!
!                 if ((pa = attr_find( e->e_attrs, ad_pwdChangedTime )) !=
NULL)
!                   pwtime = parse_time( pa->a_nvals[0].bv_val );
!                 now = slap_get_time();
!                 age = (int)(now - pwtime);
!                 if ((pwtime != (time_t)-1) && (age < pp.pwdMinAge)) {
!                   rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
!                   rs->sr_text = "Password is too young to change";
!                   pErr = PP_passwordTooYoung;
!                   goto return_results;
!                 }
                }
        }