List Info

Thread: (ITS#4970) Problem between pwdReset and pwdMinAge
(ITS#4970) Problem between pwdReset and pwdMinAge
country flaguser name
United States		 2007-05-17 10:13:40 
Full_Name: Pierre-Yves Bonnetain
Version: 2.3.35
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.41.162.162)


There is something "forgotten" in ppolicy overlay
code. When pwdReset is set to
TRUE, the user is properly asked to change his password. BUT
if the (admin-made)
previous password change is newer than pwdMinAge, the
requested password change
will be rejected with a "password too young"
message :

-----------
$ ssh somehost -l someuser
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Constraint
violation
Password is too young to change
-----------

The pwdMinAge parameter should be ignored when pwdReset is
set, otherwise the
user will effectively be locked out of his account while
waiting for the minimum
delay to expire.

Here is a patch to correct this behavior. Proposed patch may
not adhere to
coding standards and such, so feel free to enhance it as
needed .

*** ppolicy.old 2007-02-08 13:31:24.000000000 +0100
--- ppolicy.c   2007-05-17 17:10:39.000000000 +0200
***************
*** 1696,1710 ****
                time_t pwtime = (time_t)-1, now;
                int age;

!               if ((pa = attr_find( e->e_attrs,
ad_pwdChangedTime )) != NULL)
!                       pwtime = parse_time(
pa->a_nvals[0].bv_val );
!               now = slap_get_time();
!               age = (int)(now - pwtime);
!               if ((pwtime != (time_t)-1) && (age
< pp.pwdMinAge)) {
!                       rs->sr_err =
LDAP_CONSTRAINT_VIOLATION;
!                       rs->sr_text = "Password is
too young to change";
!                       pErr = PP_passwordTooYoung;
!                       goto return_results;
                }
        }

--- 1696,1716 ----
                time_t pwtime = (time_t)-1, now;
                int age;

!               /* Py Bonnetain, B&A Consultants : We
DON'T CARE for minAge if
pwdReset
!                  is set. */
!               if ((pa = attr_find( e->e_attrs,
ad_pwdReset )) == NULL ||
!                   ! bvmatch( &pa->a_nvals[0],
&slap_true_bv) ) {
!
!                 if ((pa = attr_find( e->e_attrs,
ad_pwdChangedTime )) !=
NULL)
!                   pwtime = parse_time(
pa->a_nvals[0].bv_val );
!                 now = slap_get_time();
!                 age = (int)(now - pwtime);
!                 if ((pwtime != (time_t)-1) && (age
< pp.pwdMinAge)) {
!                   rs->sr_err =
LDAP_CONSTRAINT_VIOLATION;
!                   rs->sr_text = "Password is too
young to change";
!                   pErr = PP_passwordTooYoung;
!                   goto return_results;
!                 }
                }
        }
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )