Description of problem: Directory server does not allow LDAP password modify extended operation after password reset and password policy requires password change. Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1. Set attribute passwordMustChange on in currently used password policy. 2. Reset any user's password (by changing it as directory manager or by setting passwordExpirationTime to '19700101000000Z'). 3. Run ldappasswd (from OpenLDAP) to change that user's password. Actual results: Server responds with 'unwilling to perform'. Expected results: Password is changed. Additional info: Function connection_need_new_password(...) (file connection.c) is responsible for allowing only bind, unbind, abandon and modify operations when conn->c_needpw is set. I think this check should include the password change extop as well.
Created attachment 326682 [details] CVS Diffs The fix is to let extended operations pass through connection_need_new_password(), then check if the extended operation is the password modify extop if a password is expired in do_extended(). If the extended operation is something else, we return an error 53 along with the password expired control.
Checked into ldapserver (HEAD). Thanks to Rich for his review! Checking in ldap/servers/slapd/connection.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/connection.c,v <-- connection.c new revision: 1.24; previous revision: 1.23 done Checking in ldap/servers/slapd/extendop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/extendop.c,v <-- extendop.c new revision: 1.11; previous revision: 1.10 done Checking in ldap/servers/slapd/passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c new revision: 1.18; previous revision: 1.17 done Checking in ldap/servers/slapd/slap.h; /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v <-- slap.h new revision: 1.44; previous revision: 1.43 done
fix verified - RHEL 5 DS 8.1 password change using ldappasswd successfully after administrator password reset and password policy 'user must change password after reset enabled.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html