Hi Arthur, On Fri, Feb 18, 2022 at 07:11:24PM -0800, Ryan Tandy wrote: > Hi Arthur, > > sorry for the long delayed followup. > > On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote: > > > However the test_pamcmds script fails with the new version. The login > > > with the correct password fails, the issue seems to be (from > > > nslcd.log): > > > > > > nslcd: [a88611] <authc="vsefcovic"> DEBUG: got > > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) > > > nslcd: [a88611] <authc="vsefcovic"> DEBUG: > > > myldap_search(base="cn=Veronica > > > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", > > > filter="(objectClass=*)") > > > nslcd: [a88611] <authc="vsefcovic"> ldap_result() failed: Insufficient > > > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify > > > password > > > > > > Still looking into it, not sure why the new ppolicy wants the > > > password changed after it was just reset earlier. > > > > Do you know at which step this failed in the test_pamcmds test? In > > general I found ppolicy controls during authentication to be somewhat > > confusing, especially when a password was about to expire or needed to > > be changed. > > It failed on "testing correct password". > > I think the behaviour change is due to ITS#7084: > > https://bugs.openldap.org/show_bug.cgi?id=7084 > https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8 > > With OpenLDAP 2.5, when the user's password is changed in reset_password(), > they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE > and the change is done by the administrator. Exactly like you said, the bind > succeeds but then the search is not permitted. I can't remember whether > nss-pam-ldapd is supposed to show a "password must be changed now" prompt in > this case? > > With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding. I > think the user is forced to change their password only if pwdMustChange and > pwdReset are both set. > > I removed "pwdMustChange: TRUE" from the policy and then the tests passed. > Not sure if this is the correct fix, but at least I don't currently see > anything in test_pamcmds.expect that would be expecting a forced reset?
Are there any news on this bug? nss-pam-ldapd is currently hinted for removal from testing due to this bug (not happened yet though). Regards, Salvatore
