[
https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712121#comment-17712121
]
Emmanuel Lécharny commented on DIRSTUDIO-1284:
----------------------------------------------
To be clear: when the server implements the Password Policy draft
([https://docs.ldap.com/specs/draft-behera-ldap-password-policy-11.txt),] it is
required, for security reasons, that the update is done using a DELETE followed
by an ADD. That guarantees that the person changing the password actually
*knows* what was the previous password. Otherwise it would be super easy to
break in, simply when you have to modify someone password, without any
knowledge about the previous password...
See:
{code}
8.2.1. Safe Modification If pwdSafeModify is set to TRUE and if there is an
existing password value, the server ensures that the password update operation
includes the user's existing password. When the LDAP modify operation is used
to modify a password, this is done by specifying both a delete action and an
add or replace action, where the delete action specifies the existing password,
and the add or replace action specifies the new password. Other password update
operations SHOULD employ a similar mechanism. Otherwise this policy will fail.
If the existing password is not specified, the server does not process the
operation and sends the appropriate response message to the client with the
resultCode: insufficientAccessRights (50), and includes the
passwordPolicyResponse in the controls field of the response message with the
error: mustSupplyOldPassword (4).
{code}
> Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] -
> Must supply correct old password to change to new one
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSTUDIO-1284
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-ldifeditor
> Affects Versions: 2.0.0-M17
> Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019)
> Reporter: Katie Golan
> Priority: Major
> Fix For: 2.0.0-M18
>
> Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot
> 2021-07-28 at 3.36.39 PM.png, screenshot-1.png
>
>
> The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to
> have a bug with password resets. I’ve confirmed that version
> {{2.0.0.v20200411-M15}} does not have this bug.
> # In Password Editor, the same password is entered for "Enter New Password"
> and "Confirm New Password"
> # When you click "OK", the following error results:
> "Error while executing LDIF
> - [LDAP result code 53 - unwillingToPerform] Must supply correct old
> password to change to new one"
>
> * I successfully reset the password for User A on version M15.
> * After upgrading to version M17, I got the above error when attempting a
> password reset for User A.
> * I then uninstalled Apache, rebooted, and reinstalled version M15.
> * After M15 reinstall, I was able to successfully reset User A's password
> again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
