search

gandres / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

fall back for Read User Passwords from eDirectory is broken #419

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Go to Settings -> eDirectory inside the Configuration Manager
2. Enable "Read User Passwords (advanced)"
3. Make sure that the proxy pwm LDAP user has no rights to retrieve passwords 
for users
4. Try to use the Forgotten Password module with a user.

What is the expected output? What do you see instead?
I would expect that PWM would first try to read the current password for the 
user. This would result in a NMAS -1659 error and therefore PWM should continue 
by setting a new password for that user. Instead PWM gives an Exception after 
trying to read the user password. No attempt is made to fallback on setting a 
new random password. The description from "Read User Passwords (advanced)" 
still states:

"If true, the user's password will be read from eDirectory before changing it. 
This prevents an extra password change from being set to a temporary random 
password during forgotten password sequence. If the proxy user does not have 
rights to read the password, then a temporary random password will be generated 
for the user anyway."

It seems that the UserAuthenticator has been changed in trunk to not do a fall 
back anymore if the password cant be read (authUserWithUnknownPassword). This 
logic has changed after R534 
(http://code.google.com/p/pwm/source/browse/trunk/pwm/servlet/src/password/pwm/u
til/operations/UserAuthenticator.java?r=534) which results in this bug.

Rationale:
A good question is why I need "Read User Passwords (advanced)" enabled and also 
have a Password Policy for users where the PWM proxy user is not allowed to 
retrieve passwords? Well, the answer is quite simple: security. I have multiple 
Password Policies used for different account states:

- 1 for Users that need activation
- 1 for Activated Users

The PWM proxy User is allowed to retrieve passwords for Users that need 
activation, but not for Activated Users.

Original issue reported on code.google.com by sebastia...@gmail.com on 3 Jul 2013 at 2:28

GoogleCodeExporter commented 9 years ago 
Attached a patch to restore the fall back to use a new random password if the 
Read User Password fails.

Original comment by sebastia...@gmail.com on 3 Jul 2013 at 3:03

Attachments:

GoogleCodeExporter commented 9 years ago 
patch added in revision 579.

Original comment by jrivard on 15 Jul 2013 at 2:54