Re: [Ltb-users] reset password by mail does not respect hash=auto

k c Mon, 21 Nov 2016 09:26:25 -0800


---
------------


M. P.

Le 2016-11-20 23:22, Clément OUDOT a écrit :
> 2016-11-18 16:31 GMT+01:00 k c <[email protected]>:
>> 
>> Both manager account and user account have access to userPassword
>> attribute.
>> 
>> In change mode, I don't have this problem.
> 
> I can't reproduce the bug, the password is well read in the directory
> even in reset by mail mode:
> 
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 fd=17 ACCEPT from
> IP=127.0.0.1:40324 (IP=0.0.0.0:389)
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=0 RESULT tag=97 
> err=0 text=
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=1 SRCH
> base="dc=example,dc=com" scope=2 deref=0
> filter="(&(objectClass=person)(uid=coudot))"
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=2 SRCH
> base="uid=coudot,ou=users,dc=example,dc=com" scope=0 deref=0
> filter="(objectClass=*)"
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=2 SRCH 
> attr=userPassword
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=2 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=3 MOD
> dn="uid=coudot,ou=users,dc=example,dc=com"
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=3 MOD 
> attr=userPassword
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=3 RESULT tag=103 
> err=0 text=
> Nov 20 23:18:40 ader-sfl slapd[2894]: conn=1004 op=4 UNBIND
> 

Looking at your logs, an idea came to my mind. I have a posthook script 
that manages the password history and prevents users to set an older 
password for their account.

I disabled posthook but the problem is still here.

> 
> Could you send your LDAP logs?
> 

Yes without problem.

I manually set password for my test account.

# slappasswd -s myoldpassword
{SSHA}2CQ6100iu/iMZ7AcBvMd9scgHrZPjlxj

I request a reset by mail, receive the token, go to the url in the mail 
and set a new password: 1H@a2H@a

Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 fd=42 ACCEPT from 
IP=10.93.64.132:57830 (IP=0.0.0.0:389)
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=0 BIND 
dn="uid=ssp,ou=svc,ou=access,dc=company,dc=com" method=128
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=0 BIND 
dn="uid=ssp,ou=svc,ou=access,dc=company,dc=com" mech=SIMPLE ssf=0
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=0 RESULT tag=97 err=0 
text=
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=1 SRCH 
base="ou=People,dc=company,dc=com" scope=2 deref=0 
filter="(&(objectClass=person)(uid=mtest))"
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=2 SRCH 
base="uid=mtest,ou=People,dc=company,dc=com" scope=0 deref=0 
filter="(objectClass=*)"
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=2 SRCH 
attr=userPassword
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=2 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=3 MOD 
dn="uid=mtest,ou=People,dc=company,dc=com"
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=3 MOD 
attr=sambaNTPassword sambaPwdLastSet userPassword
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=3 RESULT tag=103 
err=0 text=
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 op=4 UNBIND
Nov 21 16:52:42 ldap-qg slapd[4137]: conn=46706 fd=42 closed
Nov 21 16:52:42 ldap-qg slapd[4137]: do_syncrep2: rid=201 
cookie=rid=201,csn=20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-qg slapd[4137]: syncrepl_message_to_entry: rid=201 
DN: uid=mtest,ou=People,dc=company,dc=com, UUID: 
f5f75364-e3a0-1035-9c88-d5549413f5f5
Nov 21 16:52:42 ldap-qg slapd[4137]: syncrepl_entry: rid=201 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Nov 21 16:52:42 ldap-qg slapd[4137]: syncrepl_entry: rid=201 be_search 
(0)
Nov 21 16:52:42 ldap-qg slapd[4137]: syncrepl_entry: rid=201 
uid=mtest,ou=People,dc=company,dc=com
Nov 21 16:52:42 ldap-qg slapd[4137]: slap_queue_csn: queueing 
0x7f3f4810f1e0 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-qg slapd[4137]: slap_graduate_commit_csn: removing 
0x7f3f48117910 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-qg slapd[4137]: syncrepl_entry: rid=201 be_modify 
uid=mtest,ou=People,dc=company,dc=com (0)
Nov 21 16:52:42 ldap-qg slapd[4137]: slap_queue_csn: queueing 
0x7f3f4810f1e0 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-qg slapd[4137]: slap_graduate_commit_csn: removing 
0x7f3f48115690 20161121165242.435526Z#000000#000#000000

Nov 21 16:52:42 ldap-master slapd[30910]: conn=1313 op=41 PROXYAUTHZ 
dn="uid=ssp,ou=svc,ou=access,dc=company,dc=com"
Nov 21 16:52:42 ldap-master slapd[30910]: conn=1313 op=41 
[IP=10.93.64.132 USERNAME=uid=ssp,ou=svc,ou=access,dc=company,dc=com] 
MOD dn="uid=mtest,ou=People,dc=company,dc=com"
Nov 21 16:52:42 ldap-master slapd[30910]: conn=1313 op=41 
[IP=10.93.64.132 USERNAME=uid=ssp,ou=svc,ou=access,dc=company,dc=com] 
MOD attr=sambaNTPassword sambaPwdLastSet userPassword
Nov 21 16:52:42 ldap-master slapd[30910]: slap_queue_csn: queueing 
0x7fac4b7f73f0 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: syncprov_sendresp: 
cookie=rid=201,csn=20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: syncprov_sendresp: 
cookie=rid=201,csn=20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: slap_queue_csn: queueing 
0x7fac340130c8 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: slap_graduate_commit_csn: 
removing 0x7fac34129520 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: conn=1313 op=41 
[IP=10.93.64.132 USERNAME=uid=ssp,ou=svc,ou=access,dc=company,dc=com] 
RESULT tag=103 err=0 text=
Nov 21 16:52:42 ldap-master slapd[30910]: slap_graduate_commit_csn: 
removing 0x7fac3412b990 20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: syncprov_sendresp: 
cookie=rid=201,csn=20161121165242.435526Z#000000#000#000000
Nov 21 16:52:42 ldap-master slapd[30910]: syncprov_sendresp: 
cookie=rid=201,csn=20161121165242.435526Z#000000#000#000000

and log from ssp in debug mode

[Mon Nov 21 16:52:42.423144 2016] [:error] [pid 11565] [client 
10.75.1.57:43106] PHP Notice:  Undefined variable: mail_wordwrap in 
/usr/share/self-service-password/index.php on line 137, referer: 
https://ssp.company.com/motdepasse/index.php?action=resetbytoken&token=44:qO4BudofumwxPJs1Nwe7VcsMYOf5uHMi79Qfge/nCWw=l1Qra33VKgZt9xsYiMpq6AUD5h98KSJoZi8=
[Mon Nov 21 16:52:42.423771 2016] [:error] [pid 11565] [client 
10.75.1.57:43106] PHP Notice:  session_start(): ps_files_cleanup_dir: 
opendir(/var/lib/php5/sessions) failed: Permission denied (13) in 
/usr/share/self-service-password/pages/resetbytoken.php on line 67, 
referer: 
https://ssp.company.com/motdepasse/index.php?action=resetbytoken&token=44:qO4BudofumwxPJs1Nwe7VcsMYOf5uHMi79Qfge/nCWw=l1Qra33VKgZt9xsYiMpq6AUD5h98KSJoZi8=
[Mon Nov 21 16:52:42.432046 2016] [:error] [pid 11565] [client 
10.75.1.57:43106] PHP Warning:  ldap_get_values(): Cannot get the 
value(s) of attribute Decoding error in 
/usr/share/self-service-password/lib/functions.inc.php on line 259, 
referer: 
https://ssp.company.com/motdepasse/index.php?action=resetbytoken&token=44:qO4BudofumwxPJs1Nwe7VcsMYOf5uHMi79Qfge/nCWw=l1Qra33VKgZt9xsYiMpq6AUD5h98KSJoZi8=

and as a result in my change log I have

dn: reqStart=20161121165242.000000Z,cn=accesslog
reqType: modify
reqAuthzID: uid=ssp,ou=svc,ou=access,dc=company,dc=com
reqDN: uid=mtest,ou=People,dc=company,dc=com
reqMod: sambaNTPassword:= 3A622CFEEEAA00745175841E184832B8
reqMod: sambaPwdLastSet:= 1479747162
reqMod: userPassword:= 1H@a2H@a
reqMod: entryCSN:= 20161121165242.435526Z#000000#000#000000
reqMod: modifiersName:= uid=ssp,ou=svc,ou=access,dc=company,dc=com
reqMod: modifyTimestamp:= 20161121165242Z
reqOld: sambaNTPassword: 3A622CFEEEAA00745175841E184832B8
reqOld: sambaPwdLastSet: 1479746863
reqOld: userPassword: {SSHA}2CQ6100iu/iMZ7AcBvMd9scgHrZPjlxj
reqOld: entryCSN: 20161121164944.089800Z#000000#000#000000
reqOld: modifiersName: uid=admmin,ou=people,dc=company,dc=com
reqOld: modifyTimestamp: 20161121164944Z

and before I forget

$ grep hash conf/config.inc.php
# auto (will check the hash of current password)
$hash = "auto";

I'll take a look a the logs from ssp. I have not seen them before.

> 
> Clément.
> _______________________________________________
> ltb-users mailing list
> [email protected]
> http://lists.ltb-project.org/listinfo/ltb-users
_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users

Re: [Ltb-users] reset password by mail does not respect hash=auto

Reply via email to