PPolicy not checked when reset user password
Concerned version
Version: 1.9.15
Platform: Apache
Summary
When activating the "Password policy control" option, the user is still able to modify his password with the current one (or one already stored in pwdHistory) whereas OpenLDAP is configured with "pwdInHistory: 3". No check is done.
Logs
[Wed Feb 27 15:52:37.310851 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: processing to sub storeMailSession
[Wed Feb 27 15:52:37.310895 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: processing to sub sendConfirmationMail
[Wed Feb 27 15:52:37.310929 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: processing to sub passwordDBInit
[Wed Feb 27 15:52:37.311043 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: processing to sub changePassword
[Wed Feb 27 15:52:37.312381 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: Modify password request for uid=mickael.brideldap,ou=CUST_5,o=grc.auth
[Wed Feb 27 15:52:37.315455 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: Modification return code: 0
[Wed Feb 27 15:52:37.315596 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: processing to sub userNotice
[Wed Feb 27 15:52:37.315727 2019] [perl:debug] [pid 16078] CGI.pm(114): /usr/share/perl5/vendor_perl/Lemonldap/NG/Common/CGI.pm 305:
[Wed Feb 27 15:52:37.315759 2019] [perl:notice] [pid 16078] Lemonldap::NG : Password changed mickael.brideldap (172.27.105.42)
[Wed Feb 27 15:52:37.315865 2019] [perl:debug] [pid 16078] CGI.pm(115): Lemonldap::NG::Portal::MailReset: Update password in session for mickael.brideldap
Backends used
OpenLDAP is well configured with a default password policy. When trying to change the password of the user using "ldappasswd" command line tool, I notice it has to be changed as the user itself to have the controls checked (see below), if changed as an LDAP admin user, controls are not done. We use the reset password by email workflow.
# ldappasswd -W -S -D "uid=mickael.brideldap,ou=CUST_5,o=grc.auth" "uid=mickael.brideldap,ou=CUST_5,o=grc.auth"
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
Possible fixes
I tried to play with the "General Parameters > Authentication parameters > LDAP parameters > Password" menu, with no success