Details

      Description

      Description
      In LPS-67463, we decided to modify the UserModelListener so that we proceed with an update user operation if there was an exception when trying to export the updated user to LDAP, rather than rethrowing the exception. This is problematic because it allows for inconsistencies between the database and LDAP - the database will successfully update the user even if LDAP does not. One such consequence of this decision is that the LDAP password policy has become useless - even though it may stop the user from being updated in LDAP if their password is updated to an invalid one, it does not stop the invalid password from being stored in the database.

      The solution will be to only proceed with the update user operation if the fields that were modified are irrelevant to LDAP. If we are updating fields that are stored in LDAP, we should rethrow the exception to ensure that there are no inconsistencies between LDAP and the database.

      Steps To Reproduce (7.0.x)

      1. Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters"
        docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160
        docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
        
      2. Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
        
      3. Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
        
      4. Start up Liferay and log in as the admin user
      5. Navigate to Control Panel > Configuration > Instance Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button
        3. Change the Base DN to "dc=example,dc=org"
        4. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        5. Change the password to "test"
        6. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Enable Export" checkbox, and the "Use LDAP Password Policy" checkbox
      14. Sign in as test2@liferay.com with the password thisis18characters
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "shorterpassword", which contains 15 characters

      Steps To Reproduce (6.2.x)

      1. Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters"
        docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160
        docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
        
      2. Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
        
      3. Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
        
      4. Start up Liferay and log in as the admin user
      5. Navigate to Admin > Control Panel and click on Portal Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button and click on the "Reset Values" button
        3. Set the Base Provider URL to "ldap://localhost:389"
        4. Change the Base DN to "dc=example,dc=org"
        5. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        6. Change the password to "test"
        7. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Export Enabled" checkbox, and the "Use LDAP Password Policy" checkbox
      14. Sign in as test2@liferay.com with the password thisis18characters
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "shorterpassword", which contains 15 characters

      Expected Result: Liferay would not change the password because it does not meet the LDAP password policy
      Actual Result: Liferay changes the password successfully, and an error message with a stack trace appears in the console.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 22 weeks, 6 days ago