389-ds-base

Clone
Source Code
GIT

#48491 passwordexpirationtime: 19700101000000Z causes hang in authentication.
Closed: wontfix None Opened 8 years ago by hyadav5.

Closed: wontfix
Reopen Issue

Hi Fedora,

We are using the 389 DS version 1.2.11.29 for authentication. I see a problem, once I set password policy resetting the password using the DS Admin console. Below is the set of information, you may require to analyse it.
-> Password Policy set through the DS console:
a) Enable the fine-grained policy
b) tick "User must change the password after reset"
c) tick "User may change the password"
d) Allow changes in 0 days
e) Keep password history. Remember 24 Password.
f) Password expires after 2 days.
g) Send warning 1 day before
h) Allow up to 0 login attempts
i) Check the password syntax
j) Password encryption : CRYPT

Account Lockout:
a) Account may be lock out
b) Lockout after 5 login failure
c) Reset failure count after 15 mins
d) Lock duration 25 mins

-> Created the user using the below ldif file.
# cat /hemant/user1.ldif
dn: uid=hemant01,ou=people,dc=in,dc=rdlabs,dc=XXXcorp,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: hemant01
cn: hemant01
uid: hemant01
uidNumber: 01
gidNumber: 01
loginShell: /usr/bin/sh
homeDirectory: /home/hemant01
userPassword: Orange*013

-> "passwordexpirationdate" will be set to 19700101000000Z magic number automatically by console.
-> Do an ldapsearch using this user Bind cn :
/opt/ldapux/bin/ldapsearch -p 389 -b "" -s base -D uid=hemant01,ou=people,dc=in,dc=rdlabs,dc=XXXcorp,dc=net -w "Orange013" objectclass=
<<<<< HUNG >>>> Ctrl^C
-> User is not prompted for changing the password (If we login), even though the Admin has reset the password and password policy says user can change the password on first login.
-> Rather the DS hung and no ldap result is sent.

-> If you change the "passwordexpirationdate" to 19700101000000Z + 1 hour, then the user will be prompted for password change (If we login) and no hung occurs.
root@oms07:/tmp$ /opt/ldapux/bin/ldapsearch -p 389 -b "" -s base -D uid=hemant01,ou=people,dc=in,dc=rdlabs,dc=hpecorp,dc=net -w "Orange013" objectclass=
ldapsearch: Password will expire in 0 seconds
ldapsearch: Password has been reset by an administrator; you must change it.
ldap_search: DSA is unwilling to perform

Code reference:
File: ...\ldap\servers\slapd\pw_mgmt.c
Function: need_new_pw()
Case 1) when "passwordexpirationdate" automatically set to 19700101000000Z when password is resetted.
pw_exp_date = parse_genTime(passwordExpirationTime);
pw_exp_date will be 0
slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED );
slapi_send_ldap_result ( pb, LDAP_INVALID_CREDENTIALS, NULL,"password expired!", 0, NULL );

Case 2) when "passwordexpirationdate" automatically set to 19700101000000Z when password is resetted. We add + 1 hours manually though console.
pw_exp_date = parse_genTime(passwordExpirationTime);
pw_exp_date will be 3600
slapi_pwpolicy_make_response_control( pb, *t, -1,LDAP_PWPOLICY_CHGAFTERRESET);
slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
????? NO RESULT IS SENT ????? No call to slapi_send_ldap_result()
Rather 'Multimaster replication postoperation plugin' #5 type 501 is called.

History:
Previously we were using the 389 DS version 1.2.9 and we didn't see this problem with the exactly same password policy and user is prompted for password change in both the case 1 and case 2.

New version:
389 DS version 1.3.4.7 also, i didn't any changes related to it. And slapi_send_ldap_result() is not called to send the response.

Can someone please look into this. Let us know, in case you any further information in this regard.

Thanks & Regards,
Hemant Yadav

Thanks for filing a ticket, Hemant.

Let me double check the bug is observed both on 1.2.11.x and 1.3.4.x. Is this correct?

Also we use "review?" for the patch review request. It looks this is not the case here. Resetting it to blank.

Thanks.

Two changes in the logged ticket content:

1) If you change the "passwordexpirationdate" to 19700101000000Z + 1 hour that is 19700101010000Z, then the user will be prompted for password change (If we login) and no hung occurs.
Result:
root@hpux1:/hemant/update_issue$ /opt/ldapux/bin/ldapsearch -p 389 -b "" -s base -D uid=hemant01,ou=people,dc=in,dc=rdlabs,dc=XXXcorp,dc=net -w "Orange013" objectclass=
ldapsearch: Password has expired.
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: password expired!

2) In the section case 1 and case 2, results are interchanged. Please find the correct as below:

Code reference:
File: ...\ldap\servers\slapd\pw_mgmt.c
Function: need_new_pw()
Case 1) when "passwordexpirationdate" automatically set to 19700101000000Z when password is reset by Admin.
pw_exp_date = parse_genTime(passwordExpirationTime);
pw_exp_date will be 0
slapi_pwpolicy_make_response_control( pb, *t, -1,LDAP_PWPOLICY_CHGAFTERRESET);
slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
????? NO RESULT IS SENT ????? No call to slapi_send_ldap_result()
Rather 'Multimaster replication postoperation plugin' #5 type 501 is called.
<< HUNG >>

Case 2) when "passwordexpirationdate" automatically set to 19700101000000Z when password is reset by Admin. We add + 1 hours manually though console that is 19700101010000Z.
pw_exp_date = parse_genTime(passwordExpirationTime);
pw_exp_date will be 3600
slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED );
slapi_send_ldap_result ( pb, LDAP_INVALID_CREDENTIALS, NULL,"password expired!", 0, NULL );

Thanks in advance.
Hemant Yadav

Hi nhosoi,

Have identified the problem and it is fixed by the ticket#47748. Variable rc was overwritten by "need_new_password" and later fixed by using the temporary variable '''myrc''' in file bind.c
You can close this ticket.

Regards,
Hemant Yadav

Replying to [comment:3 hyadav5]:

Hi nhosoi,

Have identified the problem and it is fixed by the ticket#47748. Variable rc was overwritten by "need_new_password" and later fixed by using the temporary variable '''myrc''' in file bind.c
You can close this ticket.

Regards,
Hemant Yadav

Thank you so much for your update, Hemant. Please let us know when you run into any problem.

Metadata Update from @hyadav5:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1773

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Duplicate)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
None
Community
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.