Issue #556 has been updated by Clément OUDOT. Target version changed from self-service-password-? to self-service-password-0.9
I think we should not let a user with an expired password change its password, as he should have been warned before expiration. But is seems interesting to let a user change its password when the flag "user must reset password" is set ---------------------------------------- Bug #556: If password in Active Directory is expired, user cannot change their password http://tools.lsc-project.org/issues/556 Author: Eric Blevins Status: Assigned Priority: Normal Assigned to: Clément OUDOT Category: Self Service Password Target version: self-service-password-0.9 When using Active Directory if the users password is expired or if their account is flagged to change password on next login that user can not change their password. The following patch fixes the problem for me. When the LDAP bind fails using the users credentials rather than failing we look at some extended error data. If the bind failed because the password is expired or needs to be changed we allow the reset process to continue because those status are only returned if the correct un/pw was provided. Here are all of the extended status values that I know of, this patch only looks for the ones in *bold*: 525 - user not found 52e - invalid credentials 530 - not permitted to logon at this time *532 - password expired* 533 - account disabled 701 - account expired *773 - user must reset password* <pre> diff -uNr ltb-project-self-service-password-0.8/pages/change.php new/pages/change.php --- ltb-project-self-service-password-0.8/pages/change.php 2012-10-20 08:52:59.000000000 +0000 +++ new/pages/change.php 2013-01-01 02:24:18.000000000 +0000 @@ -136,6 +136,18 @@ # Bind with old password $bind = ldap_bind($ldap, $userdn, $oldpassword); $errno = ldap_errno($ldap); + if ( ($errno == 49) && $ad_mode ) { + if (ldap_get_option($ldap,0x0032,$extended_error)) { + error_log("LDAP - Bind user extended_error $extended_error (".ldap_error($ldap).")"); + $extended_error = explode(', ', $extended_error); + if(strpos($extended_error[2],'773') || strpos($extended_error[2],'532')){ + #This user provided correct password but it needs reset (773) or has expired and needs reset (532) + error_log("LDAP - Bind user password is expired or needs changed"); + unset($extended_error); + $errno = 0; + } + } + } if ( $errno ) { $result = "badcredentials"; error_log("LDAP - Bind user error $errno (".ldap_error($ldap).")"); </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
