Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-74160

LDAP password policy is not honored

    XMLWordPrintable

    Details

      Description

      Description
      In LPS-67463, we decided to modify the UserModelListener so that we proceed with an update user operation if there was an exception when trying to export the updated user to LDAP, rather than rethrowing the exception. This is problematic because it allows for inconsistencies between the database and LDAP - the database will successfully update the user even if LDAP does not. One such consequence of this decision is that the LDAP password policy has become useless - even though it may stop the user from being updated in LDAP if their password is updated to an invalid one, it does not stop the invalid password from being stored in the database.

      The solution will be to only proceed with the update user operation if the fields that were modified are irrelevant to LDAP. If we are updating fields that are stored in LDAP, we should rethrow the exception to ensure that there are no inconsistencies between LDAP and the database.

      Steps To Reproduce (7.0.x)

      1. Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters" 
        docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160
docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
      2. Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters 
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
      3. Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters 
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
      4. Start up Liferay and log in as the admin user
      5. Navigate to Control Panel > Configuration > Instance Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button
        3. Change the Base DN to "dc=example,dc=org"
        4. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        5. Change the password to "test"
        6. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Enable Export" checkbox, and the "Use LDAP Password Policy" checkbox
      14. Sign in as test2@liferay.com with the password thisis18characters
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "shorterpassword", which contains 15 characters

      Steps To Reproduce (6.2.x)

      1. Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters" 
        docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160
docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
      2. Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters 
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
      3. Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters 
        docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
      4. Start up Liferay and log in as the admin user
      5. Navigate to Admin > Control Panel and click on Portal Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button and click on the "Reset Values" button
        3. Set the Base Provider URL to "ldap://localhost:389"
        4. Change the Base DN to "dc=example,dc=org"
        5. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        6. Change the password to "test"
        7. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Export Enabled" checkbox, and the "Use LDAP Password Policy" checkbox
      14. Sign in as test2@liferay.com with the password thisis18characters
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "shorterpassword", which contains 15 characters

      Expected Result: Liferay would not change the password because it does not meet the LDAP password policy
      Actual Result: Liferay changes the password successfully, and an error message with a stack trace appears in the console.

        Attachments

          Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. LPS-76332 Error message when attempting to change user passwords when LDAP export is enabled on servers with password history

          • Closed
          depends on

          Bug - A problem which impairs or prevents the functions of the product. LPS-44538 User can't change passwords when LDAP is enabled

          • Closed
          is caused by

          Bug - A problem which impairs or prevents the functions of the product. LPS-67463 If LDAP export is enabled and not setting LDAP export , unable to login default user on Liferay.

          • Closed
          relates

          Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPE-16201 LDAP password policy is not honored

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          Testing discovered

          Bug - A problem which impairs or prevents the functions of the product. LPS-74221 Long LDAP export delay can cause contact or user group update to fail

          • Closed

          Bug - A problem which impairs or prevents the functions of the product. LPS-74223 Error messages are never displayed to the user in the UI if a callable throws an exception

          • Closed

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 33 weeks, 4 days ago

                  Packages

                  Version Package
                  6.2.X EE
                  7.0.0 DXP FP30
                  7.0.X EE
                  7.0.4 CE GA5
                  7.0.0 DXP FP33
                  7.0.0 DXP SP7
                  7.0.5 CE GA6
                  7.0.X
                  7.1.X
                  Master