"Bind user password needs to be changed" when users change AD expired password

[radasys]

Subject of the issue

If an Active Directory user want to change their expired password, then receives a message informing the password was rejected.

Our environment

• Self Service Password 1.4.3 running in a LXC container
• Windows Server 2008 R2

Steps to reproduce

1. Let a user password expire (or "force" that, changing attribute pwdLastSet in AD to 0 for a user, that will "automagically" expire the password; see Reset an AD Users Password Expiry Date).
2. Try to change the password through SSP with old password and new password.

Expected behaviour

According to documentation, parameter: $ad_options['change_expired_password'] = true should allow a user to change password if password is expired.

Actual behaviour

Our SSP for AD configuration has the following options enabled (I've excluded $ldap_binddn, $ldap_bindpw, and similars for the sake of clarity):
$ad_mode = true;
$ad_options['force_unlock'] = true;
$ad_options['force_pwd_change'] = false;
$ad_options['change_expired_password'] = true;

However, the password change by the user does not seem to work. Here you have the relevant logs (some lines were removed):

[date] [php7:warn] [pid 27453] [client IP] PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /usr/share/self-service-password/htdocs/change.php on line 143, referer: http://ourURL/
[date] [php7:notice] [pid 27453] [client IP] LDAP - Bind user error 49 (Invalid credentials), referer: http://ourURL/
[date] [php7:notice] [pid 27453] [client IP] LDAP - Bind user extended_error 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 773, v1db1 (Invalid credentials), referer: http://ourURL/
[date] [php7:notice] [pid 27453] [client IP] LDAP - Bind user password needs to be changed, referer: http://ourURL/

Workaround

If we change parameter: $ad_options['who_change_password'] = manager, now the user is able to change password. We understand that this setting bypasses the above options because it is a manager who is changing the password.

Related issues

• Issue Change expired password on OpenLDAP #96 may be related, but it is referred to OpenLDAP.

Thank you for your support!

[coudot]

Hi,

if the password is expired, then the use authentication fails, so we can't act as user, because LDAP Bind was rejected. The only solution for this use case is to use the manager account to change the password.

What we could do is to force $who_change_password = "manager" when the user password is expired.

[radasys]

Excellent.

So, just to clarify, what would be the purpose of:
$ad_options['change_expired_password'] = true?

Thank you!

[coudot]

So, just to clarify, what would be the purpose of:
$ad_options['change_expired_password'] = true?

It allows a user to change its password even if it is expired. But as you noticed, this just works with $who_change_password = "manager"

[coudot]

@radamesi Could you test #530 ?

[radasys]

Hi!

We have tested your changes and it works! We did not test the API, but using the web UI interface works fine.

Please notice that the logs are still showing "LDAP - Bind user error 49" and "LDAP - Bind user password needs to be changed" but it is not logging the actual change by the manager account. Maybe it would be nice to add something like...

error_log("LDAP - Password changed by manager"); after the manager rebind (but only for better verbosity, not 100% needed).

Thank you so much for your assistance!