[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17712121#comment-17712121 ] Emmanuel Lécharny commented on DIRSTUDIO-1284: -- To be clear: when the server implements the Password Policy draft ([https://docs.ldap.com/specs/draft-behera-ldap-password-policy-11.txt),] it is required, for security reasons, that the update is done using a DELETE followed by an ADD. That guarantees that the person changing the password actually *knows* what was the previous password. Otherwise it would be super easy to break in, simply when you have to modify someone password, without any knowledge about the previous password... See: {code} 8.2.1. Safe Modification If pwdSafeModify is set to TRUE and if there is an existing password value, the server ensures that the password update operation includes the user's existing password. When the LDAP modify operation is used to modify a password, this is done by specifying both a delete action and an add or replace action, where the delete action specifies the existing password, and the add or replace action specifies the new password. Other password update operations SHOULD employ a similar mechanism. Otherwise this policy will fail. If the existing password is not specified, the server does not process the operation and sends the appropriate response message to the client with the resultCode: insufficientAccessRights (50), and includes the passwordPolicyResponse in the controls field of the response message with the error: mustSupplyOldPassword (4). {code} > Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - > Must supply correct old password to change to new one > --- > > Key: DIRSTUDIO-1284 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284 > Project: Directory Studio > Issue Type: Bug > Components: studio-ldifeditor >Affects Versions: 2.0.0-M17 > Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019) >Reporter: Katie Golan >Priority: Major > Fix For: 2.0.0-M18 > > Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot > 2021-07-28 at 3.36.39 PM.png, screenshot-1.png > > > The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to > have a bug with password resets. I’ve confirmed that version > {{2.0.0.v20200411-M15}} does not have this bug. > # In Password Editor, the same password is entered for "Enter New Password" > and "Confirm New Password" > # When you click "OK", the following error results: > "Error while executing LDIF > - [LDAP result code 53 - unwillingToPerform] Must supply correct old > password to change to new one" > > * I successfully reset the password for User A on version M15. > * After upgrading to version M17, I got the above error when attempting a > password reset for User A. > * I then uninstalled Apache, rebooted, and reinstalled version M15. > * After M15 reinstall, I was able to successfully reset User A's password > again. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17508267#comment-17508267 ] David Coutadeur commented on DIRSTUDIO-1284: I have also reproduced the same error. In accordance with the password policy draft ([https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10),] it is possible to change the password by a simple "LDAP modify" operation, but in this context, if you do a delete + add, it means that you are providing the previous password in the delete operation. And when you provide the previous password, it is going to be verified by the password policy. Thus, as Apache Directory Studio provides the previous password as a hash, the password policy can't verify it, which results in the given error: {color:#00}53: Must supply correct old password to change to new one{color} Apache Directory Studio should modify this behaviour and send the password modification as a unique "replace" operation > Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - > Must supply correct old password to change to new one > --- > > Key: DIRSTUDIO-1284 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284 > Project: Directory Studio > Issue Type: Bug > Components: studio-ldifeditor >Affects Versions: 2.0.0-M17 > Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019) >Reporter: Katie Golan >Priority: Major > Fix For: 2.0.0-M15 > > Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot > 2021-07-28 at 3.36.39 PM.png, screenshot-1.png > > > The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to > have a bug with password resets. I’ve confirmed that version > {{2.0.0.v20200411-M15}} does not have this bug. > # In Password Editor, the same password is entered for "Enter New Password" > and "Confirm New Password" > # When you click "OK", the following error results: > "Error while executing LDIF > - [LDAP result code 53 - unwillingToPerform] Must supply correct old > password to change to new one" > > * I successfully reset the password for User A on version M15. > * After upgrading to version M17, I got the above error when attempting a > password reset for User A. > * I then uninstalled Apache, rebooted, and reinstalled version M15. > * After M15 reinstall, I was able to successfully reset User A's password > again. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17389780#comment-17389780 ] Stefan Seelmann commented on DIRSTUDIO-1284: Which LDAP server do you use? Googling for the error message ("Must supply correct old password to change to new one") reveals it's OpenLDAP and especially the password policy overlay, but I better ask for it. Can you also check in the "Modification Logs" view which modify operation is sent in both Studio versions to the server? Does it send a combindes delete+add or a replace, see attached screenshot for an example: !screenshot-1.png! Last not least, since Studio version M16 there is support for the "Password Modify Extended Operation" which provides better support for changing passwords: Right-click on the entry -> Extended Operations -> Password Modify... > Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - > Must supply correct old password to change to new one > --- > > Key: DIRSTUDIO-1284 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284 > Project: Directory Studio > Issue Type: Bug > Components: studio-ldifeditor >Affects Versions: 2.0.0-M17 > Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019) >Reporter: Katie Golan >Priority: Major > Fix For: 2.0.0-M15 > > Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot > 2021-07-28 at 3.36.39 PM.png, screenshot-1.png > > > The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to > have a bug with password resets. I’ve confirmed that version > {{2.0.0.v20200411-M15}} does not have this bug. > # In Password Editor, the same password is entered for "Enter New Password" > and "Confirm New Password" > # When you click "OK", the following error results: > "Error while executing LDIF > - [LDAP result code 53 - unwillingToPerform] Must supply correct old > password to change to new one" > > * I successfully reset the password for User A on version M15. > * After upgrading to version M17, I got the above error when attempting a > password reset for User A. > * I then uninstalled Apache, rebooted, and reinstalled version M15. > * After M15 reinstall, I was able to successfully reset User A's password > again. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org