11:16 a.m.
Hi there,
there is a password policy external module with this config:
dn: cn=default,ou=pwpolicies,dc=hu
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
pwdAllowUserChange: TRUE
pwdInHistory: 5
pwdMinLength: 10
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdCheckModule: pwdCheckModule-poc.so
I've grabbed this source:
https://github.com/bindle/bofh-pwdCheckModules
Everything works as well: I can change the password with
ldappasswd tool, or ldap_exop() in PHP - the policy check works
in both cases.
I just have one question: is there any way to send back to the
client the error message?
I mean:
# /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D
"UID="dminuser,dc=hu" -s "abcdefghijkl"
"uid=airween,ou=Users,dc=hu"
Result: Constraint violation (19)
There isn't any detailed information, what's the reason why the
policy module drops the request, but I can see that in the logfile:
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module error:
(pwdCheckModule-poc.so) Passwords less than 16 characters require at least 3 traits (upper
case, lower case, digits, or special characters).[1]
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched=""
text="Passwords less than 16 characters require at least 3 traits (upper case, lower
case, digits, or special characters)"
It would be very good to catch this message at client side.
Is it possible?
Note, that in PHP side I'm using:
ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
and $_err variable is empty.
When I send the old password, which exists in history, I got:
ldappasswd -H ldaps://... ... ... -s "oldpasswd" "uid=airween,..."
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
in PHP:
"Password is not being changed from existing value"
In syslog I can see:
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched=""
text="Password is not being changed from existing value"
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_extended: err=19 oid= len=0
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_response: msgid=2 tag=120 err=19
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: conn=1743 op=1 RESULT oid= err=19 text=Password
is not being changed from existing value
Should I fill some member of Entry struct in 3rd argument in
policy module?
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
....................................................^^^^^^^^^^^^^^
Thanks,
a.
11:26 a.m.
I looked at the slapo-ppolicy man page. It's a shame ppolicy doesn't have
something like the following from the chain overlay:
chain-return-error {FALSE|true}
In case referral chasing fails, the real error is returned
instead of the orig‐
inal referral. In case multiple referral URIs are present,
only the first
error is returned. This behavior may not be always
appropriate nor desirable,
since failures in referral chasing might be better resolved by
the client (e.g.
when caused by distributed authentication issues).
Jason Trupp
Symas Corporation
(855) LDAP-GUY
-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On
Behalf Of Ervin Hegedüs
Sent: Wednesday, October 10, 2018 1:16 PM
To: openldap-technical(a)openldap.org
Subject: Password policy messages - how can I pass back
Hi there,
there is a password policy external module with this config:
dn: cn=default,ou=pwpolicies,dc=hu
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
pwdAllowUserChange: TRUE
pwdInHistory: 5
pwdMinLength: 10
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdCheckModule: pwdCheckModule-poc.so
I've grabbed this source:
https://github.com/bindle/bofh-pwdCheckModules
Everything works as well: I can change the password with ldappasswd tool, or
ldap_exop() in PHP - the policy check works in both cases.
I just have one question: is there any way to send back to the client the
error message?
I mean:
# /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D
"UID="dminuser,dc=hu" -s "abcdefghijkl"
"uid=airween,ou=Users,dc=hu"
Result: Constraint violation (19)
There isn't any detailed information, what's the reason why the policy
module drops the request, but I can see that in the logfile:
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module
error: (pwdCheckModule-poc.so) Passwords less than 16 characters require at
least 3 traits (upper case, lower case, digits, or special characters).[1]
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1
p=3 Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19
matched="" text="Passwords less than 16 characters require at least 3
traits
(upper case, lower case, digits, or special characters)"
It would be very good to catch this message at client side.
Is it possible?
Note, that in PHP side I'm using:
ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
and $_err variable is empty.
When I send the old password, which exists in history, I got:
ldappasswd -H ldaps://... ... ... -s "oldpasswd" "uid=airween,..."
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
in PHP:
"Password is not being changed from existing value"
In syslog I can see:
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_result: err=19
matched="" text="Password is not being changed from existing value"
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_extended: err=19 oid=
len=0 Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_response: msgid=2
tag=120 err=19 Oct 10 20:09:36 dev-ldap-01 slapd[16312]: conn=1743 op=1
RESULT oid= err=19 text=Password is not being changed from existing value
Should I fill some member of Entry struct in 3rd argument in policy module?
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
....................................................^^^^^^^^^^^^^^
Thanks,
a.
12:03 p.m.
Hi Jason,
thanks for reply,
On Wed, Oct 10, 2018 at 01:26:48PM -0500, Jason Trupp wrote:
I looked at the slapo-ppolicy man page. It's a shame ppolicy
doesn't have
something like the following from the chain overlay:
chain-return-error {FALSE|true}
In case referral chasing fails, the real error is returned instead of the
orig‐
inal referral. In case multiple referral URIs are present, only the
first
error is returned. This behavior may not be always appropriate nor
desirable,
since failures in referral chasing might be better resolved by the client
(e.g.
when caused by distributed authentication issues).
shame or not, I can't use it :).
Looks like I can upgrade the webservers to 7.3, so with this my
problem solved :)
Thanks,
a.
12:12 a.m.
Le 10/10/2018 à 20:16, Ervin Hegedüs a écrit :
Hi there,
Hello,
I mean:
# /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D
"UID="dminuser,dc=hu" -s "abcdefghijkl"
"uid=airween,ou=Users,dc=hu"
Result: Constraint violation (19)
There isn't any detailed information, what's the reason why the
policy module drops the request, but I can see that in the logfile:
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module error:
(pwdCheckModule-poc.so) Passwords less than 16 characters require at least 3 traits (upper
case, lower case, digits, or special characters).[1]
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched=""
text="Passwords less than 16 characters require at least 3 traits (upper case, lower
case, digits, or special characters)"
With LDAP clients like ldappasswd, you need to send the ppolicy client
control with "-e ppolcy"
Note, that in PHP side I'm using:
ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
and $_err variable is empty.
This should be possible in PHP 7.3, see
https://bugs.php.net/bug.php?id=69437
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
12:30 a.m.
Hi Clément,
thanks for feedback,
> I mean:
>
> # /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D
"UID="dminuser,dc=hu" -s "abcdefghijkl"
"uid=airween,ou=Users,dc=hu"
> Result: Constraint violation (19)
>
> There isn't any detailed information, what's the reason why the
> policy module drops the request, but I can see that in the logfile:
>
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module error:
(pwdCheckModule-poc.so) Passwords less than 16 characters require at least 3 traits (upper
case, lower case, digits, or special characters).[1]
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19
matched="" text="Passwords less than 16 characters require at least 3
traits (upper case, lower case, digits, or special characters)"
With LDAP clients like ldappasswd, you need to send the ppolicy client
control with "-e ppolcy"
right, thanks,
> Note, that in PHP side I'm using:
>
> ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
>
> and $_err variable is empty.
This should be possible in PHP 7.3, see
https://bugs.php.net/bug.php?id=69437
:(
I've fighted with customer for update to 7.2 to get the
ldap_exop_passwd(), now I can go back to fight for PHP 7.3.
Looks like it exists for Debian 9 (non-official):
https://packages.sury.org/php/pool/main/p/php7.3/
Thanks again,
a.
8:32 a.m.
Hi all,
On Thu, Oct 11, 2018 at 09:12:56AM +0200, Clément OUDOT wrote:
Le 10/10/2018 à 20:16, Ervin Hegedüs a écrit :
> I mean:
>
> # /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D
"UID="dminuser,dc=hu" -s "abcdefghijkl"
"uid=airween,ou=Users,dc=hu"
> Result: Constraint violation (19)
>
With LDAP clients like ldappasswd, you need to send the ppolicy client
control with "-e ppolcy"
it works:
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQg=
ppolicy: error=8 (New password is in list of old passwords)
> Note, that in PHP side I'm using:
>
> ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
>
> and $_err variable is empty.
This should be possible in PHP 7.3, see
https://bugs.php.net/bug.php?id=69437
could anybody helps me, how can I catch the correct and accurate
error message?
if (PHP_VERSION_ID >= 70300) {
$ctrl1 = array('oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST, 'value'
=> NULL, 'iscritical' => 0);
$src = ldap_set_option($this->ldapconn, LDAP_OPT_SERVER_CONTROLS, array($ctrl1));
$option = (LDAP_OPT_DIAGNOSTIC_MESSAGE | LDAP_OPT_ERROR_STRING);
}
else {
$option = LDAP_OPT_DIAGNOSTIC_MESSAGE;
}
ldap_get_option($this->ldapconn, $option, $_err);
but the $_err is a string:
string(49) "Password is not being changed from existing value"
There isn't the ppolicy error.
I've tried with values in ldap_set_option $ctrl:
value => 0, value => 0, iscritical => 1, and combinations of
these.
a.
12:33 p.m.
Hi,
On Fri, Oct 12, 2018 at 05:32:13PM +0200, Ervin Hegedüs wrote:
Hi all,
On Thu, Oct 11, 2018 at 09:12:56AM +0200, Clément OUDOT wrote:
>
> This should be possible in PHP 7.3, see
> https://bugs.php.net/bug.php?id=69437
could anybody helps me, how can I catch the correct and accurate
error message?
if (PHP_VERSION_ID >= 70300) {
$ctrl1 = array('oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST,
'value' => NULL, 'iscritical' => 0);
$src = ldap_set_option($this->ldapconn, LDAP_OPT_SERVER_CONTROLS, array($ctrl1));
$option = (LDAP_OPT_DIAGNOSTIC_MESSAGE | LDAP_OPT_ERROR_STRING);
}
else {
$option = LDAP_OPT_DIAGNOSTIC_MESSAGE;
}
ldap_get_option($this->ldapconn, $option, $_err);
this is a wrong way, I've re-read the PHP docs, and I think I
have to follow this way:
$conn = ldap_connect("ldaps://host");
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);
ldap_set_option($conn, LDAP_OPT_DEBUG_LEVEL, -1);
$ctrl = array(
'oid' => LDAP_CONTROL_PASSWORDPOLICYRESPONSE,
'iscritical' => FALSE,
'value' => NULL
);
ldap_set_option($conn, LDAP_OPT_SERVER_CONTROLS, array($ctrl));
ldap_bind($conn, $serviceuser, $servicepassw);
ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE | LDAP_OPT_ERROR_STRING, $_err);
var_dump($_err);
ldap_exop_passwd($conn, $userdn, "", $usernewpasswd);
ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE | LDAP_OPT_ERROR_STRING, $_err);
But the ldap_bind returns with FALSE, and the $_err will:
"passwordPolicyRequest control value not absent"
If I leave the 'value' key from $ctrl, the ldap_bind() returns
with TRUE, the ldap_exop_passwd() returns FALSE, and the error
just simple "Constraint error", the $_err string is empty.
I think this is a PHP bug, but if anybody have some expert/idea
about this, just let me know.
Thanks,
a.
1878
days inactive
1881
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Clément OUDOT -
Ervin Hegedüs -
Jason Trupp