Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-76332

Error message when attempting to change user passwords when LDAP export is enabled on servers with password history

    Details

      Description

      As a side-effect of LPS-44538, when trying to update a user in Liferay, the export process fires multiple times, attempting to update the user password each time with the same value.

      On LDAP servers with password history enabled, this has the undesirable side-effect of LDAP errors, where even when the first password update succeeds, the subsequent ones fail because they are all identical to the initial password change.

      When we implemented the fix for LPS-67463, these errors were suppressed. However, in order to fix LPS-74160, LDAP errors are no longer suppressed, and the repeated attempts to export the user password ultimately fail.

      Steps To Reproduce (7.0.x)

      1. Start a Docker container with OpenLDAP installed and a password policy with history enabled.
        docker run --name LPS-76332 --detach -p 389:389 holatuwol/liferayissue:LPS-76332
        docker exec LPS-76332 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
        
      2. Confirm that you can reset the password for test1 to "test1", which is different from their current password "test"
        docker exec LPS-76332 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s test1 'cn=test1,ou=people,dc=example,dc=org'
        
      3. Confirm that you cannot reset the password for test1 to "test1", which is the same as their current password "test1"
        docker exec LPS-76332 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s test1 'cn=test1,ou=people,dc=example,dc=org'
        
      4. Start up Liferay and log in as the admin user
      5. Navigate to Control Panel > Configuration > Instance Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button and click on the "Reset Values" button
        3. Change the Base DN to "dc=example,dc=org"
        4. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        5. Change the password to "test"
        6. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Enable Export" checkbox, and the "Use LDAP Password Policy" checkbox and Save
      14. Sign in as test2@liferay.com with the password "test"
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "test1"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brian.chan Brian Chan
                Reporter:
                minhchau.dang Minhchau Dang
                Participants of an Issue:
                Recent user:
                Jason Pince
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 19 weeks, 1 day ago