Reset expired password process does not work without _whatToTrace macro or if old password is not required
Concerned version
Version: %2.0.X
Platform: All
Summary
Thanks to Vincent Van Osta to have pointed this issue out and provide us some logs!
As you said, the old password is asked, I type the old password, and the new one twice,
then I do not see an error message on screen,and I'm redirected immediately to the login page
Logs
"authentication" : "LDAP",
"passwordDB" : "LDAP",
"registerDB" : "LDAP",
"userDB" : "LDAP",
I have "greped" ldap in the conf json file, in cas you see something bad :
"authentication" : "LDAP",
"ldapAllowResetExpiredPassword" : 1,
"ldapAuthnLevel" : 2,
"ldapBase" : "dc=ecolo,dc=lan",
"ldapChangePasswordAsUser" : 1,
"ldapITDS" : 0,
"ldapPasswordResetAttribute" : "pwdReset",
"ldapPasswordResetAttributeValue" : "TRUE",
"ldapPpolicyControl" : 1,
"ldapPort" : 636,
"ldapPwdEnc" : "utf-8",
"ldapSearchDeref" : "find",
"ldapServer" : "REDACTED",
"ldapSetPassword" : 1,
"ldapTimeout" : 120,
"ldapUsePasswordResetAttribute" : 1,
"ldapVerify" : "none",
"ldapVersion" : 3,
"passwordDB" : "LDAP",
"registerDB" : "LDAP",
"remoteGlobalStorage" : "Lemonldap::NG::Common::Apache::Session::SOAP",
"soapProxyUrn" : "urn:Lemonldap/NG/Common/PSGI/SOAPService",
"userDB" : "LDAP",
For the logs, the debug level is enabled, I've restarted apache2 and retry a failed passward change. Here are the 2 moments in the log :
- First the moment I click on "connect" with the user testuser and the password that must be reset because of ppolicy :
Nov 5 13:10:40 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov 5 13:10:40 lemon LLNG[22266]: [info] No cookie found
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov 5 13:10:40 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Start routing default route
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing controlUrl
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Trying to load token 1604506343_43633
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing getUser
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing authenticate
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Call bind for uid=testuser,ou=people,dc=ecolo,dc=lan
Nov 5 13:10:40 lemon LLNG[22266]: [debug] [error] Password policy error 2 for testuser
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_9899 created
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_41456 created
Nov 5 13:10:40 lemon LLNG[22266]: [debug] -> authResult = 25
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing setSessionInfo
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing setMacros
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing setPersistentSessionInfo
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Persistent session found for testuser
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _loginHistory
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _updateTime
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing storeHistory
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Current login saved into failedLogin
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Current login -> 25
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Found 'whatToTrace' -> testuser
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Update testuser persistent session
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::GrantSession::run
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Bad authentication, do not check grant session rules
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Skin returned: login
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Access-Control-Allow-Origin
Nov 5 13:10:40 lemon LLNG[22266]: [debug] *
Nov 5 13:10:40 lemon LLNG[22266]: [debug] Access-Control-Allow-Credentials
Nov 5 13:10:40 lemon LLNG[22266]: [debug] true
- and second moment, when I'm on the password change screen asking old password, and new passord twice, here is the log when I click on "submit" :
Nov 5 13:10:59 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov 5 13:10:59 lemon LLNG[22266]: [info] No cookie found
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov 5 13:10:59 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Start routing default route
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing controlUrl
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Prepare token
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Token 1604506379_32637 created
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Display type standardform
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Skin returned: login
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Allow-Origin
Nov 5 13:10:59 lemon LLNG[22266]: [debug] *
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Allow-Credentials
Nov 5 13:10:59 lemon LLNG[22266]: [debug] true
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Allow-Headers
Nov 5 13:10:59 lemon LLNG[22266]: [debug] *
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Allow-Methods
Nov 5 13:10:59 lemon LLNG[22266]: [debug] POST,GET
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Expose-Headers
Nov 5 13:10:59 lemon LLNG[22266]: [debug] *
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Access-Control-Max-Age
Nov 5 13:10:59 lemon LLNG[22266]: [debug] 86400
Nov 5 13:10:59 lemon LLNG[22266]: [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Backends used
LDAP
Possible fixes
_whatToTrace => $uid" did the trick