View Issue Details

IDProjectCategoryView StatusLast Update
0001719SOGoBackend Generalpublic2014-02-04 20:28
Reporterefuste Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Summary0001719: Impossible to change password at logon time (pwdreset ppolicy)
Description

Context:
Ubuntu 11.10
Sogo 1.3.13
ppolicy activated on sogo and openldap
password change in user pref -> ok, and error on password constraints are correctly reported.

ldap attribute pwdreset added to the account
login -> popup requesting new password
giving a new ppolicy compliant password -> unknown ppolicy error 32552 (number not always the same).

On the ldap side, with debug 128 or 255, no activity when trying to apply new password. No error in sogo.log

Side effect bug:

  • hit cancel -> hit login -> sogo log in because the bind was successful and cached even if password must be changed.
    -> in case of password change request by ppolicy, password and successful logon should not be cached by SOGo.
    (should I open a specific bug for this ?)
TagsNo tags attached.

Relationships

child of 0002169 closedjraby Possible bug with session and LDAP filtering 

Activities

efuste

efuste

2012-03-22 16:17

reporter   ~0003620

additional info

Main bug: using ldappasswd as the user to change the password and reset the pwdreset attribute work as expected.

side effect bug: sogo log on but all directory operation fails as expected (search is denied because password must be changed)

efuste

efuste

2012-03-23 08:50

reporter   ~0003625

Using the side effect bug, bypass the "force password change" by hitting cancel and logon.
Access user prefs, password tab.
Change the password -> password change ok

So the main bug is limited to the login page password change popup.

Bug opened as minor but is major/block for us.

efuste

efuste

2012-03-23 13:11

reporter   ~0003626

The side effect bug could be view as a security bug (security policy bypass).

(I know, I should take a support contract, I expect that is it in the pipe of buyers from my side)

efuste

efuste

2012-03-23 14:03

reporter   ~0003627

one more thought:
Not only the password should be cached after the complete policy validation, but in case of ppolicy use, negative caching should not be use to not perturb ppolicy functionallity like pwdMaxFailure and pwdMaxFailureCountInternval.

ludovic

ludovic

2012-05-31 18:51

administrator   ~0003998

What are the version of the OpenLDAP libraries on your machine?

efuste

efuste

2012-06-01 09:41

reporter   ~0004002

libldap-2.4-2 2.4.25-1.1ubuntu4.1

efuste

efuste

2013-03-06 17:30

reporter   ~0005412

Part of side effect bug should be fixed by 0002263
Will test it in context of ppolicy.

efuste

efuste

2013-03-07 09:17

reporter   ~0005413

Fix is here : 0002169

Need to check if the ppolicy password change bug is still relevant.

ludovic

ludovic

2014-02-04 20:28

administrator   ~0006495

Fixed a little while ago.

Issue History

Date Modified Username Field Change
2012-03-22 16:01 efuste New Issue
2012-03-22 16:17 efuste Note Added: 0003620
2012-03-23 08:50 efuste Note Added: 0003625
2012-03-23 13:11 efuste Note Added: 0003626
2012-03-23 14:03 efuste Note Added: 0003627
2012-05-31 18:51 ludovic Note Added: 0003998
2012-06-01 09:41 efuste Note Added: 0004002
2013-03-06 17:30 efuste Note Added: 0005412
2013-03-07 09:17 efuste Note Added: 0005413
2013-03-07 13:42 francis Relationship added child of 0002169
2014-02-04 20:28 ludovic Note Added: 0006495
2014-02-04 20:28 ludovic Status new => closed
2014-02-04 20:28 ludovic Assigned To => ludovic
2014-02-04 20:28 ludovic Resolution open => fixed