0001719: Impossible to change password at logon time (pwdreset ppolicy) - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0001719	SOGo	Backend General	public	2012-03-22 16:01	2014-02-04 20:28

Reporter	efuste	Assigned To	ludovic
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed

Summary	0001719: Impossible to change password at logon time (pwdreset ppolicy)
Description	Context: Ubuntu 11.10 Sogo 1.3.13 ppolicy activated on sogo and openldap password change in user pref -> ok, and error on password constraints are correctly reported. ldap attribute pwdreset added to the account login -> popup requesting new password giving a new ppolicy compliant password -> unknown ppolicy error 32552 (number not always the same). On the ldap side, with debug 128 or 255, no activity when trying to apply new password. No error in sogo.log Side effect bug: hit cancel -> hit login -> sogo log in because the bind was successful and cached even if password must be changed. -> in case of password change request by ppolicy, password and successful logon should not be cached by SOGo. (should I open a specific bug for this ?)
Tags	No tags attached.

efuste 2012-03-22 16:17 reporter ~0003620	additional info Main bug: using ldappasswd as the user to change the password and reset the pwdreset attribute work as expected. side effect bug: sogo log on but all directory operation fails as expected (search is denied because password must be changed)

efuste 2012-03-23 08:50 reporter ~0003625	Using the side effect bug, bypass the "force password change" by hitting cancel and logon. Access user prefs, password tab. Change the password -> password change ok So the main bug is limited to the login page password change popup. Bug opened as minor but is major/block for us.

efuste 2012-03-23 13:11 reporter ~0003626	The side effect bug could be view as a security bug (security policy bypass). (I know, I should take a support contract, I expect that is it in the pipe of buyers from my side)

efuste 2012-03-23 14:03 reporter ~0003627	one more thought: Not only the password should be cached after the complete policy validation, but in case of ppolicy use, negative caching should not be use to not perturb ppolicy functionallity like pwdMaxFailure and pwdMaxFailureCountInternval.

ludovic 2012-05-31 18:51 administrator ~0003998	What are the version of the OpenLDAP libraries on your machine?

efuste 2012-06-01 09:41 reporter ~0004002	libldap-2.4-2 2.4.25-1.1ubuntu4.1

efuste 2013-03-06 17:30 reporter ~0005412	Part of side effect bug should be fixed by 0002263 Will test it in context of ppolicy.

efuste 2013-03-07 09:17 reporter ~0005413	Fix is here : 0002169 Need to check if the ppolicy password change bug is still relevant.

ludovic 2014-02-04 20:28 administrator ~0006495	Fixed a little while ago.

Date Modified	Username	Field	Change
2012-03-22 16:01	efuste	New Issue
2012-03-22 16:17	efuste	Note Added: 0003620
2012-03-23 08:50	efuste	Note Added: 0003625
2012-03-23 13:11	efuste	Note Added: 0003626
2012-03-23 14:03	efuste	Note Added: 0003627
2012-05-31 18:51	ludovic	Note Added: 0003998
2012-06-01 09:41	efuste	Note Added: 0004002
2013-03-06 17:30	efuste	Note Added: 0005412
2013-03-07 09:17	efuste	Note Added: 0005413
2013-03-07 13:42	francis	Relationship added	child of 0002169
2014-02-04 20:28	ludovic	Note Added: 0006495
2014-02-04 20:28	ludovic	Status	new => closed
2014-02-04 20:28	ludovic	Assigned To	=> ludovic
2014-02-04 20:28	ludovic	Resolution	open => fixed