RSS feed

Re: expired password reset prompt (0.9.2, ppolicy)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: expired password reset prompt (0.9.2, ppolicy)

On Wed, 2014-04-23 at 12:55 +1000, Trent W. Buck wrote:
> When their password is expired,
> I expect xdm to say something like
>     Password has expired!
>     Old password:
>     New password:
>     New password again: ...

Thanks for the detailed bug report.

> nslcd: [7b23c6] <authc="p"> DEBUG: nslcd_pam_authc("p","xdm","***")
> nslcd: [7b23c6] <authc="p"> DEBUG: 
> myldap_search(base="uid=p,ou=people,o=PrisonPC", filter="(objectClass=*)")
> nslcd: [7b23c6] <authc="p"> DEBUG: ldap_initialize(ldap://ldap/)
> nslcd: [7b23c6] <authc="p"> DEBUG: 
> ldap_sasl_bind("uid=p,ou=people,o=PrisonPC","***") (uri="ldap://ldap/";)
> nslcd: [7b23c6] <authc="p"> ldap_parse_result() failed: Invalid credentials
> nslcd: [7b23c6] <authc="p"> DEBUG: failed to bind to LDAP server 
> ldap://ldap/: Invalid credentials
> nslcd: [7b23c6] <authc="p"> DEBUG: ldap_unbind()
> nslcd: [7b23c6] <authc="p"> uid=p,ou=people,o=PrisonPC: lookup failed: 
> Invalid credentials

The above indicates that the BIND to the LDAP server failed. From a test
just now with a similar set-up (using su - p instead of xdm and 0.9.3):

  nslcd: [482a97] <authc="p"> DEBUG: 
myldap_search(base="uid=p,ou=people,dc=test,dc=tld", filter="(objectClass=*)")
  nslcd: [482a97] <authc="p"> DEBUG: ldap_initialize(ldap://
  nslcd: [482a97] <authc="p"> DEBUG: 
ldap_sasl_bind("uid=p,ou=people,dc=test,dc=tld","***") (uri="ldap://";)
  nslcd: [482a97] <authc="p"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (8 
grace logins left)
  nslcd: [482a97] <authc="p"> DEBUG: ldap_result(): 
  nslcd: [482a97] <authc="p"> uid=p,ou=people,dc=test,dc=tld: Password expired, 
8 grace logins left
  nslcd: [482a97] <authc="p"> DEBUG: ldap_unbind()

I only get Invalid credentials after the grace logins have expired. In
the Git version I've improved the logging somewhat and made it possible
to distinguish between a failed login and an expire password.

There could be some interaction with xdm that is not going well. When
using su, before the password is actually expired, I get:

  % su - p
  Password will expire in 57 seconds
  New password: 
  Retype new password: 

And after it expires:

  % su - p
  Password expired, 10 grace logins left
  New password: 
  Retype new password: 

Note that the number of grace logins currently decreases by two each
time because a second BIND is done to change the password (perhaps
something can be done to short-circuit the second BIND or at least avoid
it if the new password is blank).

Can you test with su - p (do su - nobody from root first) and see if you
have the same behaviour?

Also, can you check using the Git version?


-- arthur - - --
To unsubscribe send an email to or see