-
Type:
Regression Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.2.X EE, 7.0.X EE, Master
-
Fix Version/s: 6.2.X EE, 7.0.0 DXP FP30, 7.0.X EE, 7.0.4 CE GA5, 7.0.0 DXP FP33, 7.0.0 DXP SP7, 7.0.5 CE GA6, 7.0.X, 7.1.X, Master
-
Component/s: Application Security > LDAP
-
Branch Version/s:7.0.x, 6.2.x
-
Backported to Branch:Committed
-
Story Points:1.5
-
Fix Priority:3
-
Git Pull Request:
Description
In LPS-67463, we decided to modify the UserModelListener so that we proceed with an update user operation if there was an exception when trying to export the updated user to LDAP, rather than rethrowing the exception. This is problematic because it allows for inconsistencies between the database and LDAP - the database will successfully update the user even if LDAP does not. One such consequence of this decision is that the LDAP password policy has become useless - even though it may stop the user from being updated in LDAP if their password is updated to an invalid one, it does not stop the invalid password from being stored in the database.
The solution will be to only proceed with the update user operation if the fields that were modified are irrelevant to LDAP. If we are updating fields that are stored in LDAP, we should rethrow the exception to ensure that there are no inconsistencies between LDAP and the database.
Steps To Reproduce (7.0.x)
- Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters"
docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160 docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
- Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters
docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
- Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters
docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
- Start up Liferay and log in as the admin user
- Navigate to Control Panel > Configuration > Instance Settings
- Select the Authentication section and select the LDAP tab
- Choose the option to add an LDAP server
- Test the LDAP configuration
- Set the name to "localhost"
- Select the OpenLDAP radio button
- Change the Base DN to "dc=example,dc=org"
- Change the Principal to "cn=test,ou=people,dc=example,dc=org"
- Change the password to "test"
- Click on the "Test LDAP Connection" button
- Test the LDAP user import
- Click on the "Test LDAP Users" button
- Update the LDAP export configuration
- Change the Users DN to "ou=people,dc=example,dc=org"
- Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
- Set the Groups DN to blank
- Save the configuration
- Select the Authentication section and select the LDAP tab
- Check the "Enabled" checkbox, the "Required" checkbox, the "Enable Export" checkbox, and the "Use LDAP Password Policy" checkbox
- Sign in as test2@liferay.com with the password thisis18characters
- Navigate to My Account > Account Settings
- Attempt to change your password to "shorterpassword", which contains 15 characters
Steps To Reproduce (6.2.x)
- Start a Docker container with OpenLDAP installed, a password policy that requires all passwords have 16 or more characters, the test (omniadmin) user, and ten sample users all with the password "thisis18characters"
docker run --name LPS-74160 --detach -p 389:389 holatuwol/liferayissue:LPS-74160 docker exec LPS-74160 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
- Confirm that you can reset the password for test1 to "thisismorethan16characters", which contains more than 16 characters
docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s thisismorethan16characters 'cn=test1,ou=people,dc=example,dc=org'
- Confirm that you cannot reset the password for test1 to "shorterpassword", which contains 15 characters
docker exec LPS-74160 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s shorterpassword 'cn=test1,ou=people,dc=example,dc=org'
- Start up Liferay and log in as the admin user
- Navigate to Admin > Control Panel and click on Portal Settings
- Select the Authentication section and select the LDAP tab
- Choose the option to add an LDAP server
- Test the LDAP configuration
- Set the name to "localhost"
- Select the OpenLDAP radio button and click on the "Reset Values" button
- Set the Base Provider URL to "ldap://localhost:389"
- Change the Base DN to "dc=example,dc=org"
- Change the Principal to "cn=test,ou=people,dc=example,dc=org"
- Change the password to "test"
- Click on the "Test LDAP Connection" button
- Test the LDAP user import
- Click on the "Test LDAP Users" button
- Update the LDAP export configuration
- Change the Users DN to "ou=people,dc=example,dc=org"
- Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
- Set the Groups DN to blank
- Save the configuration
- Select the Authentication section and select the LDAP tab
- Check the "Enabled" checkbox, the "Required" checkbox, the "Export Enabled" checkbox, and the "Use LDAP Password Policy" checkbox
- Sign in as test2@liferay.com with the password thisis18characters
- Navigate to My Account > Account Settings
- Attempt to change your password to "shorterpassword", which contains 15 characters
Expected Result: Liferay would not change the password because it does not meet the LDAP password policy
Actual Result: Liferay changes the password successfully, and an error message with a stack trace appears in the console.
- causes
-
LPS-76332 Error message when attempting to change user passwords when LDAP export is enabled on servers with password history
- Closed
- depends on
-
LPS-44538 User can't change passwords when LDAP is enabled
- Closed
- is caused by
-
LPS-67463 If LDAP export is enabled and not setting LDAP export , unable to login default user on Liferay.
- Closed
- relates
-
LPE-16201 LDAP password policy is not honored
-
- Closed
-
- Testing discovered
-
LPS-74221 Long LDAP export delay can cause contact or user group update to fail
- Closed
-
LPS-74223 Error messages are never displayed to the user in the UI if a callable throws an exception
- Closed