2011/7/4 Cyril Grosjean cgrosjean@janua.fr:
I have a problem with OpenLDAP 2.4.24 and ApacheDirectoryStudio 1.5.3. I connect to OpenLDAP with a usual user account for who pwdReset is set to TRUE. And I have the following default password policy:
dn: cn=default,ou=policies,dc=..... cn: default objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy
When opening the connection, I see the following messages in the ApacheDirectoryStudio logs window:
#!SEARCH RESULT DONE (95) ERROR #!CONNECTION ldap://rhvtq:389 #!DATE 2011-07-04T13:55:42.026 #!ERROR [LDAP: error code 50 - Operations are restricted to bind/unbind/abandon/StartTLS/modify password] # numEntries : 0
I can see the Root DSE entry and I can not browse the DIT, but I don't have any popup to explain me that the user account I use to connect must change his password.
In the OpenLDAP access log, I see the following:
SRCH base="" scope=0 deref=3 filter="(objectClass=*)" Jul 4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SRCH attr=subschemaSubentry Jul 4 13:55:42 rhvtq slapd[19581]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
When testing against a Sun Directory Server 6 with the same data and the same password policy, I get a popup window on the client side, with the following error, when I try to see the root DSE entry :
[LDAP: error code 53 - Password was reset and must be changed.]
In the Sun DS access log, I have the following:
SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry" [04/Jul/2011:14:17:53 +0200] conn=51 op=1 msgId=2 - RESULT err=53 tag=101 nentries=0 etime=0, Password was reset and must be changed.
Of course, in both cases, the access control rules are the same and allow access to the root DSE entry at least.
Also, when testing against OpenLDAP with an ldapsearch client with the "-e ppolicy " option, I get the following result:
ldap_bind: Success (0); Password must be changed Insufficient access (50) Additional information: Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Is there a way I can configure OpenLDAP or my data to get the same behaviour with ApacheDirectoryStudio ? That is, I'd like to be clearly notified the user password must be changed. Since I get a 50 error code, has something to be changed in the OpenLDAP access control rules ?
If you think it's a client side problem, when using my own custom client applications, what request(s) must be sent to OpenLDAP ?
Hi Cyril,
password policy is very implementation specific. I noticed also some differences between OpenLDAP and SUN implementation. For example, when using password policy and doing a wrong authentication, OpenLDAP sends the password policy control back with the bind response (with error 49), and SUN do not (it only send back the bind response without ppolicy control).
For your problem, you need to manage it on client side : if you use the password policy control, both OpenLDAP and SUN will return back the password policy control with the flag "password must be reset", the only difference is that the main error code is not the same (50 for OpenLDAP, 53 for SUN). Just test the ppolicy control in this case.
Clément.