[ltb-dev] [LDAP Tool Box - Bug #556] If password in Active Directory is expired, user cannot change their password

[noreply]

Issue #556 has been updated by nik d.


I had to comment out the line 
### $extended_error = explode(', ', $extended_error);
for it to work.
----------------------------------------
Bug #556: If password in Active Directory is expired, user cannot change their 
password
http://tools.lsc-project.org/issues/556

Author: Eric Blevins
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-?


When using Active Directory if the users password is expired or if their 
account is flagged to change password on next login that user can not change 
their password.

The following patch fixes the problem for me.
When the LDAP bind fails using the users credentials rather than failing we 
look at some extended error data.
If the bind failed because the password is expired or needs to be changed we 
allow the reset process to continue because those status are only returned if 
the correct un/pw was provided.

Here are all of the extended status values that I know of, this patch only 
looks for the ones in *bold*:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
*532 - password expired*
533 - account disabled
701 - account expired
*773 - user must reset password* 


diff -uNr ltb-project-self-service-password-0.8/pages/change.php 
new/pages/change.php
--- ltb-project-self-service-password-0.8/pages/change.php      2012-10-20 
08:52:59.000000000 +0000
+++ new/pages/change.php        2013-01-01 02:24:18.000000000 +0000
@@ -136,6 +136,18 @@
     # Bind with old password
     $bind = ldap_bind($ldap, $userdn, $oldpassword);
     $errno = ldap_errno($ldap);
+    if ( ($errno == 49) && $ad_mode ) {
+      if (ldap_get_option($ldap,0x0032,$extended_error)) {
+        error_log("LDAP - Bind user extended_error $extended_error  
(".ldap_error($ldap).")");
+        $extended_error = explode(', ', $extended_error);
+        if(strpos($extended_error[2],'773') || 
strpos($extended_error[2],'532')){
+          #This user provided correct password but it needs reset (773) or has 
expired and needs reset (532)
+          error_log("LDAP - Bind user password is expired or needs changed");
+          unset($extended_error);
+          $errno = 0;
+        }
+      }
+    }
     if ( $errno ) {
         $result = "badcredentials";
         error_log("LDAP - Bind user error $errno  (".ldap_error($ldap).")");



-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://tools.lsc-project.org/my/account

_______________________________________________
ltb-dev mailing list
ltb-dev@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-dev