First Last Prev Next    This bug is not in your last search results.
Bug 201332 - Password change extended operation is not allowed after password reset.
Password change extended operation is not allowed after password reset.
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Server (Show other bugs)
1.0
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Chandrasekar Kannan
:
Depends On:
Blocks: 152373 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2006-08-04 09:51 EDT by Michal Vocu
Modified: 2015-01-04 18:20 EST (History)
3 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 18:59:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS Diffs (6.36 KB, patch)
2008-12-11 17:16 EST, Nathan Kinder 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Michal Vocu 2006-08-04 09:51:36 EDT 
Description of problem:
Directory server does not allow LDAP password modify extended operation after
password reset and password policy requires password change.

Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. Set attribute passwordMustChange on in currently used password policy.
2. Reset any user's password (by changing it as directory manager or by setting
 passwordExpirationTime to '19700101000000Z').
3. Run ldappasswd (from OpenLDAP) to change that user's password.
  
Actual results:
Server responds with 'unwilling to perform'.

Expected results:
Password is changed.

Additional info:
Function connection_need_new_password(...) (file connection.c) is responsible
for allowing only bind, unbind, abandon and modify operations when
conn->c_needpw is set. I think this check should include the password change
extop as well.
Comment 3 Nathan Kinder 2008-12-11 17:16:24 EST 
Created attachment 326682 [details]
CVS Diffs

The fix is to let extended operations pass through connection_need_new_password(), then check if the extended operation is the password modify extop if a password is expired in do_extended().  If the extended operation is something else, we return an error 53 along with the password expired control.
Comment 4 Nathan Kinder 2008-12-11 18:05:59 EST 
Checked into ldapserver (HEAD).  Thanks to Rich for his review!

Checking in ldap/servers/slapd/connection.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/connection.c,v  <--  connection.c
new revision: 1.24; previous revision: 1.23
done
Checking in ldap/servers/slapd/extendop.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/extendop.c,v  <--  extendop.c
new revision: 1.11; previous revision: 1.10
done
Checking in ldap/servers/slapd/passwd_extop.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v  <--  passwd_extop.c
new revision: 1.18; previous revision: 1.17
done
Checking in ldap/servers/slapd/slap.h;
/cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v  <--  slap.h
new revision: 1.44; previous revision: 1.43
done
Comment 5 Jenny Galipeau 2009-03-16 08:39:58 EDT 
fix verified - RHEL 5 DS 8.1

password change using ldappasswd successfully after administrator password reset and password policy 'user must change password after reset enabled.
Comment 6 Chandrasekar Kannan 2009-04-29 18:59:00 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.