IDP v3 - OpenLDAP password policy - forcing password reset

Emilio Penna emilio.penna at seciu.edu.uy
Tue May 19 19:30:11 EDT 2015 


I'm evaluating the posibility to implement simple account activation
using openLDAP ppolicy. The idea is:  for new accounts, add the user
entry to the directory, and set an attribute to force password change.
(Probably it isn't the best idea, but I'm investigating)

The shibboleth part: not allow authentication at idp, until the user has
changed her password. (I think it would be possible given the
integration with ppolicy via ldaptive and the great configuration
flexibility of idpv3)

OpenLDAP ppolicy has an attribute for forcing password change: add
attribute pwdReset=TRUE in the user entry in LDAP. (with ldapsearch, it
permits the user to bind, but denies other operations like search)

The problem: if I try to login with an account which has setted
pwdReset, idp PERMITS login and informs "Your password will be expiring
soon!" (I checked the directory and the password will NOT expire soon).

It seems weird, but looking at the code, it behaves as
programmed/configured:

The ldap bind response is SUCCESS, but ppolicy adds the control
accountErrors=[CHANGE_AFTER_RESET] (I add the authn response at the end)

In ValidateUsernamePasswordAgainstLDAP.java, if response is success,  it
looks at state and if not null, calls handleWarning, but don't consider
the error (line 189), so only generates "ACCOUNT_WARNING" in the message.

Then in password-authn-config.xml, the matching entry for
"ACCOUNT_WARNING" is ExpiringPassword, and so the message to the user is
"Your password will be expiring soon!".

Given the message generated in ValidateUsernamePasswordAgainstLDAP:189,
I think that I don't have the error code to map/catch in
password-auth-config (or somewhere else), for trying to change the flow
to deny user login...

What do you think?


regards
Emilio

-------
log:

2015-05-19 19:14:39,213 - TRACE
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:180]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Authentication
response
[org.ldaptive.auth.AuthenticationResponse at 33185033::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=uid=UY-DO-20000002,ou=Usuarios,dc=udelar,dc=edu,dc=uy[]],
accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState at 9294870::accountWarnings=null,
accountErrors=[CHANGE_AFTER_RESET]], result=true, resultCode=SUCCESS,
message=null,
controls=[[org.ldaptive.control.PasswordPolicyControl at -317416763::criticality=false,
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=CHANGE_AFTER_RESET]]]
2015-05-19 19:14:39,215 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:182]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by
'UY-DO-20000002' succeeded

More information about the users mailing list