#47492 PassSync removes User must change password flag on the Windows side
Closed: wontfix None Opened 8 years ago by rmeggins.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Directory Server): Bug 1001037

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

On RHDS the password policy set is :

Set minimum password age.
- User may change password "Allow changes in 7 Days"

Set Password change on first login
- User must change password after reset.

On Active Directory :

Set minimum password age.
- Minimum password age in gpedit.msc ->> computer configuration --> Windows
Settings -> Account Policies -> Password Policy

Set Password change on first login
- Check "User must change password on next logon"

In Windows, a new user is created, their password is set and the "User must
change password on next logon" is checked.  The default password is sent to
RHDS where it sets the users password but removes the flag to change their
password on next logon.

In Windows the password is also set and due to the sync the Must change
password flag is removed.  If an admin resets the flag in Windows the user is
no longer able to update their password until the 7 days have passed.

Version-Release number of selected component (if applicable):
Red Hat directory Server 9.0

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
It removes the flag "User must change password at next logon" on the AD side
after "Send and receive updates now" on the RHDS.


Expected results:
It should not remove the flag for initial change password at next logon on AD
side or allow the password sync tool to by-pass the 7 day constraint if that
field is checked


Additional info:

Bug description: Windows Sync sends password modify even if it is
from PassSync originated on AD. The modify updates the pwdLastSet
attribute value to non-zero value. The value 0 indicates the pass-
word must change at next logon on AD.

Fix description: Before sending the password modify, check whether
the current pwdLastSet value is 0 or not. If it is 0 (means the
password must change), reset pwdLastSet value to 0 along with the
password modify. This operation replaces the password on AD, but
the password still must change at next logon.

Note: If "password must change at next logon" on the both DS and AD,
the password needs to be changed by the user on the both servers to
enable it on each.

This code references a stack variable that is out of scope:
{{{
if (force_reset_pw) {
struct berval reset_bv = {0};
struct berval *reset_bvals[2];
...
reset_pw_mod.mod_bvalues = reset_bvals;
}
pw_return = windows_conn_send_modify(prp->conn, slapi_sdn_get_dn(sdn), pw_mods, NULL, NULL );
}}}
pw_mods contains a reference to reset_pw_mod which contains a reference to reset_bvals which is out of scope. You should move the declaration of reset_bv and reset_bvals to the outer scope where you have reset_pw_mod declared.

Otherwise, ack

Thank you for pointing out the out of scope bug, Rich.

Fixed and pushed to master:
c674a71..f9d1d9e master -> master
commit f9d1d9e

Fixed a conflict and pushed to 389-ds-base-1.3.1:
023e188..8d34f77 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 8d34f77

Pushed to 389-ds-base-1.2.11:
9dc7a46..5005db5 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 5005db5

This breaks winsync in 1.2.11:
{{{
-map_entry_dn_outbound(Slapi_Entry e, Slapi_DN dn, Private_Repl_Protocol prp, int missing_entry, int guid_form)
+map_entry_dn_outbound(Slapi_Entry *e,
+ Slapi_DN
dn,
+ Private_Repl_Protocol
prp,
+ int missing_entry,
+ int guid_form,
+ Slapi_Entry
remote_entry_to_return)
{
int retval = 0;
char
guid = NULL;
Slapi_DN new_dn = NULL;
int is_nt4 = windows_private_get_isnt4(prp->agmt);
- const char
suffix = slapi_sdn_get_dn(windows_private_get_windows_subtree(prp->agmt));
+ const char *suffix = NULL;
}}}
suffix is never set, so the string "(null)" gets used in DNs.

To ssh://git.fedorahosted.org/git/389/ds.git
d36f7ea..ab4b921 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit ab4b921
Author: Rich Megginson rmeggins@redhat.com
Date: Thu Apr 3 20:50:14 2014 -0600

Metadata Update from @rmeggins:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.2 - 09/13 (September)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/829

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

a year ago

Login to comment on this ticket.