Le 01/09/2017 à 14:45, Sebastian Perkins - Hoist Group - Switzerland a écrit :
>>If you use a blanck entry as binddn, you will not be able to use reset >>features (mail/questions/sms) as in this case the old password of the user is >>not known. Silly me of course I simply cannot bind without the working pass :D Some updates on the test I am performing : · ldapS is used with root dn bind · no salt, no hash ssp side to let the ldap server encode the pass itself (in order to key the pwdHistory entries identical) Works fine from the classic "change" gui interface ! (ppolicy returns the generic error message) However our preferred token via mail option seems to bypasses the tests on policy (but updates the hashes with an identical one)... and no "current pas" email, (which makes sense for a reset), but still bypasses... I am using the stock debian Jessie package dpkg --list | grep self ii self-service-password 1.0-2 all LDAP password change web interface My understanding is that the reset token via mail - as it has no current password - binds with the root dn instead of the user dn and therefore bypasses ppolicy ? -- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot
_______________________________________________ ltb-users mailing list [email protected] https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
