directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: Fortress Rest 2.0.0-RC2 and ApacheDS 2.0.0-M23 - Password Reset Use Case - Missing pwdReset Delete or Set to FALSE? - calling rbacAuthN rc=1015 error message=checkPwPolicies for userId [brian] PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID
Date Wed, 14 Jun 2017 14:16:40 GMT
Hello Brian,

With apacheDS there are two ways to put a user’s account in reset state:

1. If password policy’s mustchange = true, and a new user account is added, the initial
state of pwdreset flag on user account is true.

2. if you call the fortress resetPassword function, it will change the password and set pwdreset=true

In either case during authentication of account, if pwdreset is true you’ll get the error
you’re receiving which is working as designed.

So far so good.  The way it is ‘supposed’ to work, is then the user connects to a process
that allows them to change the password from the value applied during reset to a new one,
that only they know.  Afterwards the pwdreset flag should be removed and the latest password
applied.

Running through this scenario with apacheds doesn’t work.  The password gets changed, but
the pwdreset is still set.

So, I’ll need to add a condition, to remove the flag, if apacheds.  slapd removes the flag
automatically during change btw, but server impls will have small variances like that.

Shouldn’t take long, will let you know when fix is applied.

Thanks for letting us know,

Shawn

> On Jun 14, 2017, at 8:58 AM, Brian Brooks (US) <Brian.Brooks@datapath.com> wrote:
> 
> We're encountering a problem with authenticating a user after resetting their password.
 After performing a Fortress Rest /userReset on a user, subsequent /rbacAuthN fail with the
error:
> 
> FAILED calling rbacAuthN rc=1015 error message=checkPwPolicies for userId [brian] PASSWORD
HAS BEEN RESET BY LDAP_ADMIN_POOL_UID
> 
> the only way we've found to recover is to manually delete the pwdReset value on the user
entry uid=brian,ou=People,${suffix}.
> 
> Reading the code in org.apache.directory.fortress.core.impl.UserDAO.resetUserPassword(User)
we see
> 
>       mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET,
"TRUE" ) );
> 
> But we're unable to find any Fortress code that ever does something like
> 
>       mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET,
"FALSE" ) );
> 
> or deletes the pwdReset value.
> 
> How should the password reset use case work?  Is it expected that the application using
Fortress delete pwdReset or set the value to false?
> 
> **Environment**
> Fortress 2.0.0-RC2
> ApacheDS 2.0.0-M23
> Windows 10
> 
> Brian Brooks
> Sr Software Engineer
> brian.brooks@datapath.com
> Office: +1 678 252 4498
> 2205 Northmont Pkwy, STE 100
> Duluth, GA 30096


Mime
View raw message