Re: expired password reset prompt (0.9.2, ppolicy)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: expired password reset prompt (0.9.2, ppolicy)
Date: Sun, 04 May 2014 23:36:22 +0200

On Wed, 2014-04-23 at 12:55 +1000, Trent W. Buck wrote:
> When their password is expired,
> I expect xdm to say something like
> 
>     Password has expired!
>     Old password:
>     New password:
>     New password again: ...

Thanks for the detailed bug report.

> nslcd: [7b23c6] <authc="p"> DEBUG: nslcd_pam_authc("p","xdm","***")
> nslcd: [7b23c6] <authc="p"> DEBUG: 
> myldap_search(base="uid=p,ou=people,o=PrisonPC", filter="(objectClass=*)")
> nslcd: [7b23c6] <authc="p"> DEBUG: ldap_initialize(ldap://ldap/)
> nslcd: [7b23c6] <authc="p"> DEBUG: 
> ldap_sasl_bind("uid=p,ou=people,o=PrisonPC","***") (uri="ldap://ldap/";)
> nslcd: [7b23c6] <authc="p"> ldap_parse_result() failed: Invalid credentials
> nslcd: [7b23c6] <authc="p"> DEBUG: failed to bind to LDAP server 
> ldap://ldap/: Invalid credentials
> nslcd: [7b23c6] <authc="p"> DEBUG: ldap_unbind()
> nslcd: [7b23c6] <authc="p"> uid=p,ou=people,o=PrisonPC: lookup failed: 
> Invalid credentials

The above indicates that the BIND to the LDAP server failed. From a test
just now with a similar set-up (using su - p instead of xdm and 0.9.3):

  nslcd: [482a97] <authc="p"> DEBUG: 
myldap_search(base="uid=p,ou=people,dc=test,dc=tld", filter="(objectClass=*)")
  nslcd: [482a97] <authc="p"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
  nslcd: [482a97] <authc="p"> DEBUG: 
ldap_sasl_bind("uid=p,ou=people,dc=test,dc=tld","***") (uri="ldap://127.0.0.1/";)
  nslcd: [482a97] <authc="p"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (8 
grace logins left)
  nslcd: [482a97] <authc="p"> DEBUG: ldap_result(): 
uid=p,ou=people,dc=test,dc=tld
  nslcd: [482a97] <authc="p"> uid=p,ou=people,dc=test,dc=tld: Password expired, 
8 grace logins left
  nslcd: [482a97] <authc="p"> DEBUG: ldap_unbind()

I only get Invalid credentials after the grace logins have expired. In
the Git version I've improved the logging somewhat and made it possible
to distinguish between a failed login and an expire password.

There could be some interaction with xdm that is not going well. When
using su, before the password is actually expired, I get:

  % su - p
  Password: 
  Password will expire in 57 seconds
  New password: 
  Retype new password: 

And after it expires:

  % su - p
  Password: 
  Password expired, 10 grace logins left
  New password: 
  Retype new password: 

Note that the number of grace logins currently decreases by two each
time because a second BIND is done to change the password (perhaps
something can be done to short-circuit the second BIND or at least avoid
it if the new password is blank).

Can you test with su - p (do su - nobody from root first) and see if you
have the same behaviour?

Also, can you check using the Git version?

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

expired password reset prompt (0.9.2, ppolicy), Trent W. Buck
- Re: expired password reset prompt (0.9.2, ppolicy), Arthur de Jong

Prev by Date: Re: myldap_search base character limit nslcd 0.8.13
Next by Date: Re: expired password reset prompt (0.9.2, ppolicy)
Previous by thread: expired password reset prompt (0.9.2, ppolicy)
Next by thread: Re: expired password reset prompt (0.9.2, ppolicy)