Change expired password on OpenLDAP

[sfieux]

Hi,

I'm trying to set up self-service-password so that users can change their own password on our openldap. This ldap is configured to make passwords expired after XX days and YY grace logins.

It works fine before password expiration, but I can't get it to work when user has an expired password and no more grace logins allowed, I still get the log message in httpd logs:

[error] [client 1.2.3.4] LDAP - Bind error 49  (Invalid credentials), referer: https://my-server.example.com/pwdchange/index.php

I tried with both possible who_change_password values, no success. I tried the $ad_options['change_expired_password'] = true; no success - I guess it's only working for AD. The $ldap_binddn I tried is the olcRootDN on the openldap database, it has all read and modification rights, so it should be able to check userPassword value without binding to it.

Did I miss something? Would you know how I can reset an expired password?

Many thanks for your support,

sfieux

[coudot]

Indeed, as PHP-LDAP cannot deal with password policy control, we can't id password is expired in OpenLDAP.

I don't see a simple solution for the moment.

Note that this works well with other languages. I implemented it with Perl in LemonLDAP::NG.

[sfieux]

Sucks for me then...

One option would be to edit change.php to read the userPassword field as Manager, hash the old password using the same method/salt, and check that tboth hashes match.

Maybe change the config file to only do that when a specific option is set, and make sure to check that the user isn't locked out because of too many failed logins...

Not sure I'll have the time to implement this, but I hope I will. Would you be interested in a pull request?

[coudot]

Reading the password value inside the directory to compare it to password is really a bad practice, you bypass brute force protection of password policy be doing it.

You can indeed do it to fit your needs but I don't think I can merge this feature. But I understand your issue and know that we should find a solution. I need to check if PHP-LDAP API has not any way to get the expiration information.

[sfieux]

Indeed, a correct implementation for this - one not bypassing bruteforce protection - would have to:

• always try to bind first: it adds a failure if the old password is wrong
• if it fails, check that the account isn't locked. On openldap, user lock is checked with user's operational attribute pwdAccountLockedTime and policy attribute pwdLockoutDuration - however, we need to know first which policy applies to this user.
• only then, if the account isn't locked, read previous password value, hash the old password using the same method and salt, and compare using hash_equals() to avoid time-based attacks.

I don't know much about other ldap implementations, but it seems that my "check that the account isn't locked" part is getting very openldap-specific. Since I have neither the knowledge to do a multi-ldap-source implementation nor the possibility to test it, I'll probably write it for myself :)

Anyway, an ssh connexion with openldap-registered users knows the difference between invalid password (rejecting connexion) and expired password (requesting password change), so the openldap somehow provides enought informations to PAM to make the difference. I don't know if php-ldap supports this though...

[coudot]

PAM-LDAP is compatible with password policy, this is why it works. PHP-LDAP is not.

Your implementation proposition is good, except that checking pwdLockoutDuration is not necessary: if the account is still locked after the first bind, then the lock status is valid.

[coudot]

We now have ppolicy control support (#156), but we only catch modification issues (password too short, too weak, in history).

We could also display if password is expired or account is locked. And rewrite #114 to adapt it to new code.