Password must change on AD still not fully working
Concerned version
Version: 2.0.2
Platform: CentOS 7 + nginx 1.15.8 with lua module
Summary
This is a followup of bug #1639 (closed) Progress has been made, but the functionnality to force a user to change its password on next login is still not perfectly working against AD (samba4 in my case). Here's what happens:
- I create a user test, set a temp password and tick "User must change password on net login"
- I log this user on llng portal. I do get the "Password has been reset and now must be changed" information, and the form to reset the password (BTW, the "Password has been reset and now must be changed" msg is displayed in red, as if it was an error, while IMHO it should be displayed as an info, not an error). At this point, here are the logs:
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::AutoSignin::check
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing extractFormInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Trying to load token 1550240758_-24306
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing getUser
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing authenticate
févr. 16 11:24:13 proxyin2 LLNG[19922]: Call bind for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:24:13 proxyin2 LLNG[19922]: Bad password
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password has expired
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password reset. User must change his password
févr. 16 11:24:13 proxyin2 LLNG[19922]: Prepare token
févr. 16 11:24:13 proxyin2 LLNG[19922]: Token 1550240773_-1658 created
févr. 16 11:24:13 proxyin2 LLNG[19922]: -> authResult = 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setMacros
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setPersistentSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Persistent session found for test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _loginHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _updateTime
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing storeHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login saved into failedLogin
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login -> 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Found 'whatToTrace' -> test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Update test persistent session
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing code ref
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::GrantSession::run
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 5
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin returned: login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Calling sendHtml with template login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin bootstrap selected from GET/POST parameter
févr. 16 11:24:13 proxyin2 LLNG[19922]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
- Now, I enter the old password, and the new one twice, and submit the form. I'd expect to be redirected on the portal. But I'm not. Instead, I just see again the form to change my password because it has expired. Here're the logs when I submit the reset password form
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::AutoSignin::check
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing extractFormInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Trying to load token 1550240773_-1658
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing getUser
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing authenticate
févr. 16 11:25:06 proxyin2 LLNG[19925]: Call modify password for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Active Directory mode enabled
févr. 16 11:25:06 proxyin2 LLNG[19925]: Modification return code: 0
févr. 16 11:25:06 proxyin2 LLNG[19925]: Password changed CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update password in session for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password has expired
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password reset. User must change his password
févr. 16 11:25:06 proxyin2 LLNG[19925]: Prepare token
févr. 16 11:25:06 proxyin2 LLNG[19925]: Token 1550240826_-15384 created
févr. 16 11:25:06 proxyin2 LLNG[19925]: -> authResult = 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setMacros
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setPersistentSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Persistent session found for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _loginHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _updateTime
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing storeHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login saved into failedLogin
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login -> 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Found 'whatToTrace' -> test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update test persistent session
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing code ref
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::GrantSession::run
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 5
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin returned: login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Calling sendHtml with template login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin bootstrap selected from GET/POST parameter
- If I just open a new tab on the portal, I can login with the new password, and I don't get the password expired.
Backends used
CentOS 7, nginx 1.15.8 with lua module, LL::NG 2.0.2. DBI (MySQL) used for both config and session