Hi Arthur,
On Fri, Feb 18, 2022 at 07:11:24PM -0800, Ryan Tandy wrote:
> Hi Arthur,
>
> sorry for the long delayed followup.
>
> On Sun, Nov 14, 2021 at 04:20:03PM +0100, Arthur de Jong wrote:
> > > However the test_pamcmds script fails with the new version. The login
> > > with the correct password fails, the issue seems to be (from
> > > nslcd.log):
> > >
> > > nslcd: [a88611] DEBUG: got
> > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed)
> > > nslcd: [a88611] DEBUG:
> > > myldap_search(base="cn=Veronica
> > > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld",
> > > filter="(objectClass=*)")
> > > nslcd: [a88611] ldap_result() failed: Insufficient
> > > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify
> > > password
> > >
> > > Still looking into it, not sure why the new ppolicy wants the
> > > password changed after it was just reset earlier.
> >
> > Do you know at which step this failed in the test_pamcmds test? In
> > general I found ppolicy controls during authentication to be somewhat
> > confusing, especially when a password was about to expire or needed to
> > be changed.
>
> It failed on "testing correct password".
>
> I think the behaviour change is due to ITS#7084:
>
> https://bugs.openldap.org/show_bug.cgi?id=7084
> https://git.openldap.org/openldap/openldap/-/commit/376d5d65cb4d622abdd4bba250c80250e56dc4d8
>
> With OpenLDAP 2.5, when the user's password is changed in reset_password(),
> they get pwdReset: TRUE added, because the policy has pwdMustChange: TRUE
> and the change is done by the administrator. Exactly like you said, the bind
> succeeds but then the search is not permitted. I can't remember whether
> nss-pam-ldapd is supposed to show a "password must be changed now" prompt in
> this case?
>
> With OpenLDAP 2.4, I think pwdMustChange is consulted only when binding. I
> think the user is forced to change their password only if pwdMustChange and
> pwdReset are both set.
>
> I removed "pwdMustChange: TRUE" from the policy and then the tests passed.
> Not sure if this is the correct fix, but at least I don't currently see
> anything in test_pamcmds.expect that would be expecting a forced reset?
Are there any news on this bug? nss-pam-ldapd is currently hinted for
removal from testing due to this bug (not happened yet though).
Regards,
Salvatore