Bug 4767 - LDAP exop and ppolicy overlay
LDAP exop and ppolicy overlay
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.24
x64 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-09 04:02 UTC by Ulf
Modified: 2011-03-03 01:48 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulf 2007-07-09 04:02:22 UTC
I use OpenLDAP's password policy overlay (ppolicy) and the smbk5pwd overlay (to keep windows and UNIX passwords in sync).

In smb.conf I have:
  ldap passwd sync = Only

and in slapd.conf:
  moduleload      smbk5pwd.so
  moduleload      ppolicy.so
  overlay         smbk5pwd
  smbk5pwd-enable samba
  overlay         ppolicy

It works well, but with one exception.  When a user tries to change his/her password to a value that is not accepted by the ppolicy rules it looks (for the user) like the change was successful even though the password change was refused by the ldap server.  Both smbpasswd and windows reports (falsely) that the password was changed successfully in this situation.

Example from smbd.log (log level 10):

ldapsam_update_sam_account: user test to be modified has dn: uid=test,ou=Users,dc=zoologi,dc=su,dc=se
init_ldap_from_sam: Setting entry for user: test
smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1183967780|
smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1183968232|
smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
smbldap_modify: dn => [uid=test,ou=Users,dc=zoologi,dc=su,dc=se]
Extended operation failed with error: Constraint violation (Password is in history of old passwords)
ldapsam_modify_entry: LDAP Password could not be changed for user test: Constraint violation
        Password is in history of old passwords
pop_sec_ctx (1000, 10000) - sec_ctx_stack_ndx = 1
init_samr_r_chgpasswd_user
_samr_chgpasswd_user: 1480
000000 samr_io_r_chgpasswd_user 
    0000 status: NT_STATUS_UNSUCCESSFUL
api_rpcTNP: called samr successfully

ldapsam_modify_entry returns NT_STATUS_UNSUCCESSFUL and this seems to cause "samr" to start the password change mechanism on more time (somehow...) but with empty changes (below is further down from the same logfile):

ldapsam_update_sam_account: user test to be modified has dn: uid=test,ou=Users,dc=zoologi,dc=su,dc=se
init_ldap_from_sam: Setting entry for user: test
smbldap_make_mod: attribute |sambaPwdCanChange| not changed.
smbldap_make_mod: attribute |sambaPwdMustChange| not changed.
ldapsam_update_sam_account: mods is empty: nothing to update for user: test
pop_sec_ctx (1000, 10000) - sec_ctx_stack_ndx = 0
init_samr_r_chgpasswd_user
_samr_chgpasswd_user: 1480
000000 samr_io_r_chgpasswd_user 
    0000 status: NT_STATUS_OK
api_rpcTNP: called samr successfully


Either of the following patches seems to fix the problem.  However, I am not sure that this is the correct way to do it (or maybe I am doing something else wrong):

--- passdb/pdb_ldap.c.orig	2007-02-04 19:59:21.000000000 +0100
+++ passdb/pdb_ldap.c	2007-07-09 10:37:03.000000000 +0200
@@ -1644,7 +1644,7 @@
 				pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
 			SAFE_FREE(ld_error);
 			ber_bvfree(bv);
-			return NT_STATUS_UNSUCCESSFUL;
+			return NT_STATUS_PASSWORD_RESTRICTION;
 		} else {
 			DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
 #ifdef DEBUG_PASSWORD


--- passdb/pdb_ldap.c.orig	2007-02-04 19:59:21.000000000 +0100
+++ passdb/pdb_ldap.c	2007-07-09 10:37:46.000000000 +0200
@@ -1638,6 +1638,17 @@
 				return NT_STATUS_OK;
 			}
 
+			if (rc == LDAP_CONSTRAINT_VIOLATION) {
+				ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+						&ld_error);
+				DEBUG(1, ("LDAP Password could not be changed for user %s: %s (%s)\n",
+					  pdb_get_username(newpwd), ldap_err2string(rc),
+					  ld_error ? ld_error : "unknown"));
+				SAFE_FREE(ld_error);
+				ber_bvfree(bv);
+				return NT_STATUS_PASSWORD_RESTRICTION;
+			}
+
 			ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
 					&ld_error);
 			DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",


Any ideas?
Comment 1 Björn Jacke 2011-03-03 01:48:33 UTC
Sorry for the late reply. This should be fixed in 3.6. Corresponding patch in master is a679319192a. Would be great if you can give feedback on that. I'm gonna close this bug as fixed for now. Thanks!