Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
lemonldap-ng
lemonldap-ng
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 2
    • Merge Requests 2
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2377

Closed
Open
Opened Nov 06, 2020 by Christophe Maudoux@maudoux🐛Maintainer

Reset expired password process does not work without _whatToTrace macro or if old password is not required

Concerned version

Version: %2.0.X

Platform: All

Summary

Thanks to Vincent Van Osta to have pointed this issue out and provide us some logs!

As you said, the old password is asked, I type the old password, and the new one twice, image

then I do not see an error message on screen,and I'm redirected immediately to the login page image

Logs

"authentication" : "LDAP",

"passwordDB" : "LDAP",
   "registerDB" : "LDAP",
   "userDB" : "LDAP",
I have "greped" ldap in the conf json file, in cas you see something bad :
   "authentication" : "LDAP",
   "ldapAllowResetExpiredPassword" : 1,
   "ldapAuthnLevel" : 2,
   "ldapBase" : "dc=ecolo,dc=lan",
   "ldapChangePasswordAsUser" : 1,
   "ldapITDS" : 0,
   "ldapPasswordResetAttribute" : "pwdReset",
   "ldapPasswordResetAttributeValue" : "TRUE",
   "ldapPpolicyControl" : 1,
   "ldapPort" : 636,
   "ldapPwdEnc" : "utf-8",
   "ldapSearchDeref" : "find",
   "ldapServer" : "REDACTED",
   "ldapSetPassword" : 1,
   "ldapTimeout" : 120,
   "ldapUsePasswordResetAttribute" : 1,
   "ldapVerify" : "none",
   "ldapVersion" : 3,
   "passwordDB" : "LDAP",
   "registerDB" : "LDAP",
   "remoteGlobalStorage" : "Lemonldap::NG::Common::Apache::Session::SOAP",
   "soapProxyUrn" : "urn:Lemonldap/NG/Common/PSGI/SOAPService",
   "userDB" : "LDAP",

For the logs, the debug level is enabled, I've restarted apache2 and retry a failed passward change. Here are the 2 moments in the log :
- First the moment I click on "connect" with the user testuser and the password that must be reset because of ppolicy :

Nov  5 13:10:40 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov  5 13:10:40 lemon LLNG[22266]: [info] No cookie found
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Start routing default route
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing controlUrl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Trying to load token 1604506343_43633
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing getUser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing authenticate
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Call bind for uid=testuser,ou=people,dc=ecolo,dc=lan
Nov  5 13:10:40 lemon LLNG[22266]: [debug] [error] Password policy error 2 for testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_9899 created
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_41456 created
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  -> authResult = 25
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setSessionInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setMacros
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setPersistentSessionInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Persistent session found for testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _loginHistory
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _updateTime
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing storeHistory
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Current login saved into failedLogin
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Current login -> 25
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Found 'whatToTrace' -> testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Update testuser persistent session
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::GrantSession::run
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Bad authentication, do not check grant session rules
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin returned: login
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Access-Control-Allow-Origin
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Access-Control-Allow-Credentials
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  true

- and second moment, when I'm on the password change screen asking old password, and new passord twice, here is the log when I click on "submit" :

Nov  5 13:10:59 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov  5 13:10:59 lemon LLNG[22266]: [info] No cookie found
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov  5 13:10:59 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Start routing default route
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing controlUrl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Token 1604506379_32637 created
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Display type standardform
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin returned: login
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Origin
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Credentials
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  true
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Headers
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Methods
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  POST,GET
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Expose-Headers
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Max-Age
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  86400
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';

Backends used

LDAP

Possible fixes

_whatToTrace => $uid" did the trick

Edited Nov 06, 2020 by Christophe Maudoux
Assignee
Assign to
2.0.10
Milestone
2.0.10 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: lemonldap-ng/lemonldap-ng#2377