Issues with TLS, password modify operation, and password expiration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fran?ois Beretti wrote:
> 2007/4/27, Richard Megginson <rmeggins at redhat.com>:
>> >        - After Start TLS (when the password is not expired), it seems
>> > that the connection become sometimes anonymous, and needs a new bind.
>> I'm not sure what you mean.  Can you elaborate on this?
>
> I mean that I believe (I have not tried to reproduce it) that when I
> do a start tls operation, I get anonymous, even if I had done a bind
> request just before. So in my code, just after a start tls, I always
> do a bind (even if I had already done it before start tls).
Please verify this.  startTLS should not change the authentication state 
(unless you are also doing client cert based auth with the startTLS 
request via SASL/EXTERNAL).
>
>> > I thought only the Stop TLS operation must disable the authentication
>> > on the LDAP connection
>> Do you mean authentication or transport encryption?
>
> I mean that when you call stop tls, you become anonymous
Yes.  This is by design - see http://www.rfc-editor.org/rfc/rfc2830.txt 
section 5.2:
> 5.2.  TLS Connection Closure Effects
>
>    Closure of the TLS connection MUST cause the LDAP association to move
>    to an anonymous authentication and authorization state regardless of
>    the state established over TLS and regardless of the authentication
>    and authorization state prior to TLS connection establishment.

>
> <snip>
>>
>> > 3) when using the Password Modify Extended operation, then at the next
>> > logon the server requires the user to change its password ! So I
>> > definitly can't use this operation on a server implementing password
>> > policy. I believe that in the Fedora DS password policy code this
>> > operation is only seen as an administration request, not intended to
>> > be done by a user : it is handled as a "force password" request, not a
>> > "change password" request.
>> Hmm - that could be a bug in that we perhaps do not reset the password
>> expiration time.  It's supposed to - it goes through the same code as
>> regular password modify.
>
> I am really not sure of this
Can you verify this?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070430/ca4fd4d0/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux