Bug#822093: nslcd: ppolicy forced password change not working

Thu, 21 Apr 2016 01:15:52 -0700 

Package: nslcd
Version: 0.9.6-3

Hi!

forcing password change using ppolicy pwdReset attribute is not honored.

A user sees "Permission denied, please try again." when trying to log in.
With PADL libraries the message "WARNING: Your password has expired. You must 
change your password
now and login again!" is presented.

debug log of nslcd shows:
nslcd: [16dde9] <authc="test"> DEBUG: 
ldap_sasl_bind("uid=test,ou=people,dc=example,dc=com","***")
(uri="ldaps://ldap01.example.com/")
nslcd: [16dde9] <authc="test"> DEBUG: set_socket_timeout(2,500000)
nslcd: [16dde9] <authc="test"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE 
(Password must be changed)
nslcd: [16dde9] <authc="test"> ldap_result() failed: Insufficient access: 
Operations are restricted
to bind/unbind/abandon/StartTLS/modify password
nslcd: [16dde9] <authc="test"> uid=test,ou=people,dc=example,dc=com: 
Insufficient access
nslcd: [16dde9] <authc="test"> uid=test,ou=people,dc=example,dc=com: Password 
must be changed
nslcd: [16dde9] <authc="test"> DEBUG: set_socket_timeout(1,0)
nslcd: [16dde9] <authc="test"> DEBUG: ldap_unbind()

nslcd seems to try to do a ldap search after bind, which is denied by slapd, 
because the user has to
change his password first:

srv01 slapd[24716]: conn=1018 op=0 BIND 
dn="uid=test,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0
srv01 slapd[24716]: => mdb_entry_get: found entry: 
"uid=test,ou=people,dc=example,dc=com"
srv01 slapd[24716]: conn=1018 op=0 RESULT tag=97 err=0 text=
srv01 slapd[24716]: conn=1018 op=1 SRCH 
base="uid=test,ou=people,dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
srv01 slapd[24716]: conn=1018 op=1 SRCH attr=dn
srv01 slapd[24716]: conn=1018 op=1 SEARCH RESULT tag=101 err=50 nentries=0 
text=Operations are
restricted to bind/unbind/abandon/StartTLS/modify password
srv01 slapd[24716]: conn=1018 op=2 ABANDON msg=2
srv01 slapd[24716]: conn=1018 op=3 UNBIND
srv01 slapd[24716]: conn=1018 fd=45 closed


Using these software versions:
libnss-ldapd:amd64  0.9.6-3
libpam-ldapd:amd64  0.9.6-3
nslcd               0.9.6-3
slapd               2.4.40

Thanks!

Christian

Reply via email to