Hi Arthur,
sorry for the long delayed followup.
On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote:
However the test_pamcmds script fails with the new version. The login
with the correct password fails, the issue seems to be (from
nslcd.log):
nslcd: [a88611] <authc="vsefcovic"> DEBUG: got
LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
nslcd: [a88611] <authc="vsefcovic"> DEBUG: myldap_search(base="cn=Veronica
Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", filter="(objectClass=*)")
nslcd: [a88611] <authc="vsefcovic"> ldap_result() failed: Insufficient access:
Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Still looking into it, not sure why the new ppolicy wants the
password changed after it was just reset earlier.
Do you know at which step this failed in the test_pamcmds test? In
general I found ppolicy controls during authentication to be somewhat
confusing, especially when a password was about to expire or needed to
be changed.
It failed on "testing correct password".
I think the behaviour change is due to ITS#7084:
https://bugs.openldap.org/show_bug.cgi?id=7084
https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8
With OpenLDAP 2.5, when the user's password is changed in
reset_password(), they get pwdReset: TRUE added, because the policy has
pwdMustChange: TRUE and the change is done by the administrator. Exactly
like you said, the bind succeeds but then the search is not permitted. I
can't remember whether nss-pam-ldapd is supposed to show a "password
must be changed now" prompt in this case?
With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding.
I think the user is forced to change their password only if
pwdMustChange and pwdReset are both set.
I removed "pwdMustChange: TRUE" from the policy and then the tests
passed. Not sure if this is the correct fix, but at least I don't
currently see anything in test_pamcmds.expect that would be expecting a
forced reset?
Ryan
