Skip to content
GitLab
Open
Issue created by mluongo@mluongoReporter

Ppolicy : pwdReset stays TRUE after a password change occurs

Description

pwdReset stays TRUE after a password change occurs, meaning the user will be stuck in password change until the admin removes the entry manually from LDAP.

Distribution Name and Version

debian:bullseye-slim

FusionDirectory Version

1.5-1

Plugin with the defect

ppolicy

PHP version used

php7.4

Origin of php packages

apt-cache policy php7.4
php7.4:
  Installed: 7.4.33-1+deb11u8
  Candidate: 7.4.33-1+deb11u8
  Version table:
 *** 7.4.33-1+deb11u8 500
        500 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
     7.4.33-1+deb11u5 500
        500 http://deb.debian.org/debian bullseye/main amd64 Packages

Steps to Reproduce

  1. Install ppolicy plugin on FD
  2. Enable and configure ppolicy overlay on OpenLDAP
  3. create a ppolicy
  4. Inject schemas
  5. Try logging with a user and enter wrong creds to lock the account
  6. From the admin account, edit the locked account and set Force password change (resets locking)
  7. Try logging again with the same user (with the right creds) and click Edit to set a new password
  8. The password for this account will be changed but if you try logging again you'll notice that FD is asking you to change the password again (that is because the pwdReset attribute on the user entry stays TRUE after the password change occurs).

Expected behavior:

After the password change occurs, this attribute should be removed from the entry.

Actual behavior:

For some reason the attribute is not removed after a password change occurs, though it should be the expected behavior from what I've read here : #4743 (closed)

Reproduces how often:

Every time

Additional Information

Here's my ppolicy overlay config :

dn: olcOverlay=ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,dc=example,dc=com
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: TRUE

my ppolicy :

dn: cn=ppolicy,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: ppolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdFailureCountInterval: 300
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 5
pwdMaxRecordedFailure: 5
pwdMinLength: 4
pwdMustChange: TRUE
pwdSafeModify: TRUE

Please let me know if you need more information.

Edited by mluongo