[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[
https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17712121#comment-17712121
]
Emmanuel Lécharny commented on DIRSTUDIO-1284:
--
To be clear: when the server implements the Password Policy draft
([https://docs.ldap.com/specs/draft-behera-ldap-password-policy-11.txt),] it is
required, for security reasons, that the update is done using a DELETE followed
by an ADD. That guarantees that the person changing the password actually
*knows* what was the previous password. Otherwise it would be super easy to
break in, simply when you have to modify someone password, without any
knowledge about the previous password...
See:
{code}
8.2.1. Safe Modification If pwdSafeModify is set to TRUE and if there is an
existing password value, the server ensures that the password update operation
includes the user's existing password. When the LDAP modify operation is used
to modify a password, this is done by specifying both a delete action and an
add or replace action, where the delete action specifies the existing password,
and the add or replace action specifies the new password. Other password update
operations SHOULD employ a similar mechanism. Otherwise this policy will fail.
If the existing password is not specified, the server does not process the
operation and sends the appropriate response message to the client with the
resultCode: insufficientAccessRights (50), and includes the
passwordPolicyResponse in the controls field of the response message with the
error: mustSupplyOldPassword (4).
{code}
> Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] -
> Must supply correct old password to change to new one
> ---
>
> Key: DIRSTUDIO-1284
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-ldifeditor
>Affects Versions: 2.0.0-M17
> Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019)
>Reporter: Katie Golan
>Priority: Major
> Fix For: 2.0.0-M18
>
> Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot
> 2021-07-28 at 3.36.39 PM.png, screenshot-1.png
>
>
> The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to
> have a bug with password resets. I’ve confirmed that version
> {{2.0.0.v20200411-M15}} does not have this bug.
> # In Password Editor, the same password is entered for "Enter New Password"
> and "Confirm New Password"
> # When you click "OK", the following error results:
> "Error while executing LDIF
> - [LDAP result code 53 - unwillingToPerform] Must supply correct old
> password to change to new one"
>
> * I successfully reset the password for User A on version M15.
> * After upgrading to version M17, I got the above error when attempting a
> password reset for User A.
> * I then uninstalled Apache, rebooted, and reinstalled version M15.
> * After M15 reinstall, I was able to successfully reset User A's password
> again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[
https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17508267#comment-17508267
]
David Coutadeur commented on DIRSTUDIO-1284:
I have also reproduced the same error.
In accordance with the password policy draft
([https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10),]
it is possible to change the password by a simple "LDAP modify" operation, but
in this context, if you do a delete + add, it means that you are providing the
previous password in the delete operation.
And when you provide the previous password, it is going to be verified by the
password policy.
Thus, as Apache Directory Studio provides the previous password as a hash, the
password policy can't verify it, which results in the given error:
{color:#00}53: Must supply correct old password to change to new one{color}
Apache Directory Studio should modify this behaviour and send the password
modification as a unique "replace" operation
> Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] -
> Must supply correct old password to change to new one
> ---
>
> Key: DIRSTUDIO-1284
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-ldifeditor
>Affects Versions: 2.0.0-M17
> Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019)
>Reporter: Katie Golan
>Priority: Major
> Fix For: 2.0.0-M15
>
> Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot
> 2021-07-28 at 3.36.39 PM.png, screenshot-1.png
>
>
> The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to
> have a bug with password resets. I’ve confirmed that version
> {{2.0.0.v20200411-M15}} does not have this bug.
> # In Password Editor, the same password is entered for "Enter New Password"
> and "Confirm New Password"
> # When you click "OK", the following error results:
> "Error while executing LDIF
> - [LDAP result code 53 - unwillingToPerform] Must supply correct old
> password to change to new one"
>
> * I successfully reset the password for User A on version M15.
> * After upgrading to version M17, I got the above error when attempting a
> password reset for User A.
> * I then uninstalled Apache, rebooted, and reinstalled version M15.
> * After M15 reinstall, I was able to successfully reset User A's password
> again.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[
https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17389780#comment-17389780
]
Stefan Seelmann commented on DIRSTUDIO-1284:
Which LDAP server do you use? Googling for the error message ("Must supply
correct old password to change to new one") reveals it's OpenLDAP and
especially the password policy overlay, but I better ask for it.
Can you also check in the "Modification Logs" view which modify operation is
sent in both Studio versions to the server? Does it send a combindes delete+add
or a replace, see attached screenshot for an example: !screenshot-1.png!
Last not least, since Studio version M16 there is support for the "Password
Modify Extended Operation" which provides better support for changing
passwords: Right-click on the entry -> Extended Operations -> Password Modify...
> Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] -
> Must supply correct old password to change to new one
> ---
>
> Key: DIRSTUDIO-1284
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-ldifeditor
>Affects Versions: 2.0.0-M17
> Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019)
>Reporter: Katie Golan
>Priority: Major
> Fix For: 2.0.0-M15
>
> Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot
> 2021-07-28 at 3.36.39 PM.png, screenshot-1.png
>
>
> The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to
> have a bug with password resets. I’ve confirmed that version
> {{2.0.0.v20200411-M15}} does not have this bug.
> # In Password Editor, the same password is entered for "Enter New Password"
> and "Confirm New Password"
> # When you click "OK", the following error results:
> "Error while executing LDIF
> - [LDAP result code 53 - unwillingToPerform] Must supply correct old
> password to change to new one"
>
> * I successfully reset the password for User A on version M15.
> * After upgrading to version M17, I got the above error when attempting a
> password reset for User A.
> * I then uninstalled Apache, rebooted, and reinstalled version M15.
> * After M15 reinstall, I was able to successfully reset User A's password
> again.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
