UserPasswordAttribute does not handle correctly clear method in templates

changed milestone to %FusionDirectory 1.4

added PJ1802-0188 label

created merge request !901 to address this issue

By Côme Chilliet on 2021-05-06T08:54:01 (imported from GitLab)

mentioned in merge request !901

By Côme Chilliet on 2021-05-06T08:54:02 (imported from GitLab)

mentioned in commit f64db106

By Côme Chilliet on 2021-05-06T09:46:51 (imported from GitLab)

Format of userPassword field for template changed, but it should not cause any problems as the attribute is still able to read the old format as well.

By Côme Chilliet on 2021-05-06T10:02:19 (imported from GitLab)

added 1h of time spent at 2021-05-06

By Côme Chilliet on 2021-05-06T10:02:20 (imported from GitLab)

added To Be Tested label

hello @cchilliet

i can i test this, can you put an exemple of the old and new format to be put in a template

Cheers

By bmortier on 2021-07-29T14:10:41 (imported from GitLab)

added 5m of time spent

By bmortier on 2021-07-29T14:10:41 (imported from GitLab)

changed due date to August 05, 2021

By bmortier on 2021-08-02T10:17:40 (imported from GitLab)

@bmortier Hello, you can test by using "clear" password method in a user template, modify it, and use it to create users and check it works.

The format to put in the template did not changes, it’s the LDAP format that changed, old was <hashedpassword>|<clearpassword>, new one is <method>|<lockstatus>|<clearpassword>.

By Côme Chilliet on 2021-08-25T15:15:02 (imported from GitLab)

hello @cchilliet

i juste tested with a template with clear for the password method and use it to create a user with it but the password is still in ssha.

see all screenshot behind

By bmortier on 2021-08-25T15:15:02 (imported from GitLab)

I reproduced this, but I think this is ppolicy hashing the password on LDAP server side, no?

(PPolicyHashCleartext: TRUE)

By Côme Chilliet on 2021-08-31T08:02:20 (imported from GitLab)

added 5m of time spent

By Côme Chilliet on 2021-08-02T12:29:33 (imported from GitLab)

assigned to @bmortier and unassigned @cchilliet

By bmortier on 2021-08-02T19:51:22 (imported from GitLab)

added 20m of time spent

By bmortier on 2021-08-25T15:15:03 (imported from GitLab)

removed To Be Tested label

unassigned @bmortier

By Jonathan Swaelens on 2021-08-26T13:06:42 (imported from GitLab)

assigned to @cchilliet

By Jonathan Swaelens on 2021-08-26T13:06:45 (imported from GitLab)

I did not reproduce yet, but the new format does cause problems reading old templates. In may case the old template had userPassword:{SSHA}!haeBGGqwy4Ax6FLxMqaP8PNNzA4Q/7Ew|%alp|sn% in the templated fields, because of the | in the password value it gets split as 3 fields with the new format and puts %alp in the password field.

We should adapt the code reading the format to better detect if middle field is a lock status or if we are reading old format.

By Côme Chilliet on 2021-09-02T14:57:57 (imported from GitLab)

This is fixed

By Côme Chilliet on 2021-09-02T14:57:57 (imported from GitLab)