error while reseting password with ppolicy enabled
Concerned version
Apache/2.4.25 (Debian) (prefork)
Debian 9.7
libapache2-mod-perl2 2.0.10-2
libmouse-perl 2.4.7-1
Platform: (Apache -> Any ?)
Summary
When enabling OpenLDAP ppolicy, the password change is sometime incorrect.
Password policy control -> enabled
Extended password modify -> disabled
change as user -> enabled
Working kinematic:
- log in as non-privileged user
- change password (ask old one)
- password changed
Non-working kinematic:
- log in as non-privileged user
- change password (ask old one), entering a new password that does not match the ppolicy (for example too short password)
- ppolicy show correct message : password too short,
- change password (ask old one), entering a new password that matches the ppolicy -> ERROR: Bad old password
Note that restarting Apache fixes the problem. The error occurs any time after a ppolicy error is returned.
After investigating, I found out that error occurs in file Net/LDAP.pm:
else {
if ($oldpassword) {
# Check old password with a bind
$mesg = $self->bind(
$dn,
password => $oldpassword,
control => [$pp]
);
my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
I noticed that the bind operation fails with a $mesg->code equal to 81, and the BIND operation is never sent to the LDAP server, as if there was a cache in the Net::LDAP library or Lemon code. Variables $dn and $oldpassword are correctly set.
Logs
[debug] Launching ::Password::LDAP::_modifyPassword
[debug] Get DN from request data: cn=user,ou=branch,dc=domain,dc=com
[debug] Call modify password for cn=user,ou=branch,dc=domain,dc=com
[debug] Call bind for cn=user,ou=branch,dc=domain,dc=com
[debug] Bad old password
[debug] Unbind and disconnect from ldaps://ldap.domain.com
[debug] Returned error: 39
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';