elasticmachine
commented
6 years ago Original comment by @jaymode:
We discussed this yesterday in the security team meeting. We were not aware that an LDAP server would do this and Josh mentioned that 389DS has years of legacy code behind it so it might be unique to this LDAP server.
Our ldap library does provide support for these controls: LINK REDACTED LINK REDACTED
Given the support in the LDAP library, I think it is beneficial to add some logging for the information in these controls.
Original comment by @jaymode:
Some LDAP implementations such as 389DS will return password controls even when they have not been requested. These controls can contain information that makes a confusing situation clearer. For example, an LDAP user's LINK REDACTED due to "grace logins" and this could be unexpected. I am proposing that we add logging when a known password control is returned and if a control indicates that a user must reset their password, we need to fail authentication.