https://bugs.openldap.org/show_bug.cgi?id=9279
Issue ID: 9279 Summary: Support for Netscape password expiry controls Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: ondra@mistotebe.net Target Milestone: ---
Add support for legacy clients expecting the LDAP server to attach these controls on relevant bind responses: - Password Expired Control (2.16.840.1.113730.3.4.4) - Password Expiration Warning Control (2.16.840.1.113730.3.4.5)
Decisions as configured by regular password policy.
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.4.51
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- RE24:
Commits: • 0687e289 by Ondřej Kuzník at 2020-07-22T22:11:44+00:00 ITS#9279 Expose Netscape password policy controls in libldap
• 094848b6 by Ondřej Kuzník at 2020-07-22T22:11:44+00:00 ITS#9279 Implement Netscape password policy controls in ppolicy
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- master:
Commits: • fd921e71 by Ondřej Kuzník at 2020-07-22T18:57:38+00:00 ITS#9279 Expose Netscape password policy controls in libldap
• a49b5536 by Ondřej Kuzník at 2020-07-22T18:57:38+00:00 ITS#9279 Implement Netscape password policy controls in ppolicy
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #3 from Michael Ströder michael@stroeder.com --- I've added a test for these response controls to python-ldap0 (branch):
https://gitlab.com/ae-dir/python-ldap0/-/tree/its9279
But it seems to fail with wrong response OID for password expiration warning:
DEBUG:root:<ldap0.ldapobject.LDAPObject object at 0x7f7ea896bc10> ldap://127.0.0.1:42853 - LDAPObject.result(((1, 1, -1, True, False, False), {})) 5f1c70f0 ppolicy_bind: Setting warning for password expiry for cn=user1,o=öäü,dc=example,dc=org = 1 seconds 5f1c70f0 conn=1011 op=0 RESULT tag=97 err=0 text= DEBUG:root:-> (97, [], 1, [(b'2.16.840.1.113730.3.4.4', 0, b'\x04\x010')]) [..] AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f7ea8946a00> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #4 from Michael Ströder michael@stroeder.com --- Was this actually tested with one of the legacy clients making use of that?
I have some doubts about using LBER_USE_DER.
Because I've searched in my old python-ldap mailing list archive and found that with other server implementations controlValue of 2.16.840.1.113730.3.4.5 consists just of ASCII digits representing grace period in seconds.
And IIRC controlValue of 2.16.840.1.113730.3.4.4 is also just a single digit "0" without OctetString wrapping. See also my inquiry to ietf-ldapext mailing list:
https://mailarchive.ietf.org/arch/msg/ldapext/jBnnQxBngfYUD8A2RLeI1tAVb5M
Note that many moons ago I had test servers when implementing this in python-ldap. IIRC it was OpenDJ.
I've recently added automated tests for that in python-ldap0:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py#L...
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #5 from Michael Ströder michael@stroeder.com --- (In reply to Michael Ströder from comment #4)
I've searched in my old python-ldap mailing list archive
https://mail.python.org/pipermail/python-ldap/2014q1/003342.html
Unfortunately the referenced OpenDJ mailing list archive is not available anymore. But there's a copy of the 3-message thread:
https://marc.info/?t=139603531900011&r=1&w=2
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #6 from Michael Ströder michael@stroeder.com --- (In reply to Michael Ströder from comment #4)
See also my inquiry to ietf-ldapext mailing list:
https://mailarchive.ietf.org/arch/msg/ldapext/jBnnQxBngfYUD8A2RLeI1tAVb5M
Neil's response is pretty clear:
https://mailarchive.ietf.org/arch/msg/ldapext/_J2wBksnlCYbemmf3bTanCDAXuA
No DER, just ASCII digits in a byte-sequence. Yes, it's legacy stuff.
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|RESOLVED |CONFIRMED Resolution|FIXED |---
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- • 917fcc03 by Ondřej Kuzník at 2020-07-27T14:22:24+02:00 ITS#9279 Send Netscape expired control as a bare string
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #8 from Quanah Gibson-Mount quanah@openldap.org --- RE24:
• 98937068 by Ondřej Kuzník at 2020-07-27T17:39:52+00:00 ITS#9279 Send Netscape expired control as a bare string
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #9 from Michael Ströder michael@stroeder.com --- (In reply to Quanah Gibson-Mount from comment #8)
RE24:
• 98937068 by Ondřej Kuzník at 2020-07-27T17:39:52+00:00 ITS#9279 Send Netscape expired control as a bare string
This indeed fixed password expired response test in python-ldap0:
https://gitlab.com/ae-dir/python-ldap0/-/commit/39bf9d98fc794677d9639053ccad...
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #10 from Michael Ströder michael@stroeder.com --- (In reply to Michael Ströder from comment #3)
But it seems to fail with wrong response OID for password expiration warning: [..] AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f7ea8946a00> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
This bug is still not fixed.
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |CONFIRMED
--- Comment #11 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Michael Ströder from comment #10)
(In reply to Michael Ströder from comment #3)
But it seems to fail with wrong response OID for password expiration warning: [..] AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f7ea8946a00> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
This bug is still not fixed.
Ondrej :)
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #12 from Howard Chu hyc@openldap.org --- (In reply to Michael Ströder from comment #10)
(In reply to Michael Ströder from comment #3)
But it seems to fail with wrong response OID for password expiration warning: [..] AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f7ea8946a00> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
This bug is still not fixed.
Can you please test with this patch?
https://git.openldap.org/hyc/openldap/-/commits/its9279
Thanks
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #13 from Michael Ströder michael@stroeder.com --- (In reply to Howard Chu from comment #12)
Can you please test with this patch? https://git.openldap.org/hyc/openldap/-/commits/its9279
Can I just back-port this diff to RE24?
https://git.openldap.org/hyc/openldap/-/commit/dae146b251673d8a668a465e13f96...
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #14 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Michael Ströder from comment #13)
(In reply to Howard Chu from comment #12)
Can you please test with this patch? https://git.openldap.org/hyc/openldap/-/commits/its9279
Can I just back-port this diff to RE24?
https://git.openldap.org/hyc/openldap/-/commit/ dae146b251673d8a668a465e13f9671ae4fffa9a
Yes.
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #15 from Michael Ströder michael@stroeder.com --- (In reply to Quanah Gibson-Mount from comment #14)
(In reply to Michael Ströder from comment #13)
(In reply to Howard Chu from comment #12)
Can you please test with this patch? https://git.openldap.org/hyc/openldap/-/commits/its9279
Can I just back-port this diff to RE24?
https://git.openldap.org/hyc/openldap/-/commit/ dae146b251673d8a668a465e13f9671ae4fffa9a
Yes.
It does not work:
5f232451 conn=1011 op=0 BIND dn="cn=user1,o=öäü,dc=example,dc=org" mech=SIMPLE ssf=0 5f232451 ppolicy_bind: Setting warning for password expiry for cn=user1,o=öäü,dc=example,dc=org = 1 seconds DEBUG:root:<ldap0.ldapobject.LDAPObject object at 0x7f5210212a60> ldap://127.0.0.1:35171 - LDAPObject.result(((1, 1, -1, True, False, False), {})) 5f232451 conn=1011 op=0 RESULT tag=97 err=0 text= DEBUG:root:-> (97, [], 1, [(b'2.16.840.1.113730.3.4.4', 0, b'0')]) DEBUG:root:bind_res = LDAPResult(97, [], 1, [<ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f52101eba30>])
I've checked my test code whether there's a timing problem. But slapo-ppolicy logs "Setting warning for password expiry" and so I assume the test code is correct.
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #16 from Howard Chu hyc@openldap.org --- (In reply to Michael Ströder from comment #10)
(In reply to Michael Ströder from comment #3)
But it seems to fail with wrong response OID for password expiration warning: [..] AssertionError: <ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f7ea8946a00> is not an instance of <class 'ldap0.controls.pwdpolicy.PasswordExpiringControl'>
This bug is still not fixed.
Can you please test with this patch?
https://git.openldap.org/hyc/openldap/-/commits/its9279
Thanks(In reply to Michael Ströder from comment #15)
(In reply to Quanah Gibson-Mount from comment #14)
(In reply to Michael Ströder from comment #13)
(In reply to Howard Chu from comment #12)
Can you please test with this patch? https://git.openldap.org/hyc/openldap/-/commits/its9279
Can I just back-port this diff to RE24?
https://git.openldap.org/hyc/openldap/-/commit/ dae146b251673d8a668a465e13f9671ae4fffa9a
Yes.
It does not work:
5f232451 conn=1011 op=0 BIND dn="cn=user1,o=öäü,dc=example,dc=org" mech=SIMPLE ssf=0 5f232451 ppolicy_bind: Setting warning for password expiry for cn=user1,o=öäü,dc=example,dc=org = 1 seconds DEBUG:root:<ldap0.ldapobject.LDAPObject object at 0x7f5210212a60> ldap://127.0.0.1:35171 - LDAPObject.result(((1, 1, -1, True, False, False), {})) 5f232451 conn=1011 op=0 RESULT tag=97 err=0 text= DEBUG:root:-> (97, [], 1, [(b'2.16.840.1.113730.3.4.4', 0, b'0')]) DEBUG:root:bind_res = LDAPResult(97, [], 1, [<ldap0.controls.pwdpolicy.PasswordExpiredControl object at 0x7f52101eba30>])
I've checked my test code whether there's a timing problem. But slapo-ppolicy logs "Setting warning for password expiry" and so I assume the test code is correct.
I cannot confirm the error you're seeing. I've extended test022-ppolicy in our test suite and am definitely seeing the correct Warning control before expiration, and the correct Expired control after expiration.
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #17 from Quanah Gibson-Mount quanah@openldap.org --- I tried building python-ldap0 to see if I could reproduce the reported issue, but unfortunately what I mainly get are errors about slaptest and no logging of what is being done, so it's virtually impossible to do anything with this "test" suite.
https://bugs.openldap.org/show_bug.cgi?id=9279
--- Comment #18 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 8849d83f by Howard Chu at 2020-08-04T22:04:14+00:00 ITS#9279 fix Netscape password_expired control
• e3875c18 by Howard Chu at 2020-08-04T22:04:14+00:00 ITS#9279 Netscape passwordExp controls came from draft-vchu-ldap-pwd-policy
• 1a786469 by Howard Chu at 2020-08-04T22:04:14+00:00 ITS#9279 Handle Netscape controls in client tools
• d4c7126e by Howard Chu at 2020-08-04T22:04:14+00:00 ITS#9279 test Netscape password expiration controls
and do some LDIF cleanup
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #19 from Quanah Gibson-Mount quanah@openldap.org --- RE24:
Commits: • 20a59e91 by Howard Chu at 2020-08-04T23:26:43+00:00 ITS#9279 fix Netscape password_expired control
• 1e222584 by Howard Chu at 2020-08-04T23:26:58+00:00 ITS#9279 Netscape passwordExp controls came from draft-vchu-ldap-pwd-policy
• 9ed30535 by Howard Chu at 2020-08-05T16:20:02+00:00 ITS#9279 Handle Netscape controls in client tools
• 766cd03a by Howard Chu at 2020-08-05T19:50:40+00:00 ITS#9279 test Netscape password expiration controls
and do some LDIF cleanup
https://bugs.openldap.org/show_bug.cgi?id=9279
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED