Reset expired password process does not work without _whatToTrace macro or if old password is not required (#2377) · Issues · LemonLDAP NG / lemonldap-ng

Reset expired password process does not work without _whatToTrace macro or if old password is not required

Concerned version

Version: %2.0.X
Platform: All
Summary

Thanks to Vincent Van Osta to have pointed this issue out and provide us some logs!
As you said, the old password is asked, I type the old password, and the new one twice,
then I do not see an error message on screen,and I'm redirected immediately to the login page
Logs

"authentication" : "LDAP",

"passwordDB" : "LDAP",
   "registerDB" : "LDAP",
   "userDB" : "LDAP",
I have "greped" ldap in the conf json file, in cas you see something bad :
   "authentication" : "LDAP",
   "ldapAllowResetExpiredPassword" : 1,
   "ldapAuthnLevel" : 2,
   "ldapBase" : "dc=ecolo,dc=lan",
   "ldapChangePasswordAsUser" : 1,
   "ldapITDS" : 0,
   "ldapPasswordResetAttribute" : "pwdReset",
   "ldapPasswordResetAttributeValue" : "TRUE",
   "ldapPpolicyControl" : 1,
   "ldapPort" : 636,
   "ldapPwdEnc" : "utf-8",
   "ldapSearchDeref" : "find",
   "ldapServer" : "REDACTED",
   "ldapSetPassword" : 1,
   "ldapTimeout" : 120,
   "ldapUsePasswordResetAttribute" : 1,
   "ldapVerify" : "none",
   "ldapVersion" : 3,
   "passwordDB" : "LDAP",
   "registerDB" : "LDAP",
   "remoteGlobalStorage" : "Lemonldap::NG::Common::Apache::Session::SOAP",
   "soapProxyUrn" : "urn:Lemonldap/NG/Common/PSGI/SOAPService",
   "userDB" : "LDAP",

For the logs, the debug level is enabled, I've restarted apache2 and retry a failed passward change. Here are the 2 moments in the log :
- First the moment I click on "connect" with the user testuser and the password that must be reset because of ppolicy :

Nov  5 13:10:40 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov  5 13:10:40 lemon LLNG[22266]: [info] No cookie found
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Start routing default route
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing controlUrl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Trying to load token 1604506343_43633
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing getUser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing authenticate
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Call bind for uid=testuser,ou=people,dc=ecolo,dc=lan
Nov  5 13:10:40 lemon LLNG[22266]: [debug] [error] Password policy error 2 for testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_9899 created
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Token 1604506360_41456 created
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  -> authResult = 25
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setSessionInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setMacros
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing setPersistentSessionInfo
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Persistent session found for testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _loginHistory
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Restore persistent parameter _updateTime
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing storeHistory
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Current login saved into failedLogin
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Current login -> 25
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Found 'whatToTrace' -> testuser
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Update testuser persistent session
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Launching ::Plugins::GrantSession::run
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Bad authentication, do not check grant session rules
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin returned: login
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:40 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Access-Control-Allow-Origin
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  Access-Control-Allow-Credentials
Nov  5 13:10:40 lemon LLNG[22266]: [debug]  true

- and second moment, when I'm on the password change screen asking old password, and new passord twice, here is the log when I click on "submit" :

Nov  5 13:10:59 lemon LLNG[22266]: [debug] VH REDACTED is HTTPS
Nov  5 13:10:59 lemon LLNG[22266]: [info] No cookie found
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Build URL https://REDACTED/
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Redirect 91.182.221.226 to portal (url was /)
Nov  5 13:10:59 lemon LLNG[22266]: [debug] User not authenticated, Try in use, cancel redirection
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Start routing default route
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing restoreArgs
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing controlUrl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing code ref
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Launching ::Plugins::AutoSignin::check
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Processing extractFormInfo
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Prepare token
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Token 1604506379_32637 created
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Display type standardform
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin returned: login
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Calling sendHtml with template login
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Skin bootstrap selected from GET/POST parameter
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Apply following CORS policy :
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Origin
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Credentials
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  true
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Headers
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Allow-Methods
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  POST,GET
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Expose-Headers
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  *
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  Access-Control-Max-Age
Nov  5 13:10:59 lemon LLNG[22266]: [debug]  86400
Nov  5 13:10:59 lemon LLNG[22266]: [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Backends used

LDAP
Possible fixes

_whatToTrace => $uid" did the trick
Edited Nov 06, 2020 by Christophe Maudoux