Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-76332

Error message when attempting to change user passwords when LDAP export is enabled on servers with password history



      As a side-effect of LPS-44538, when trying to update a user in Liferay, the export process fires multiple times, attempting to update the user password each time with the same value.

      On LDAP servers with password history enabled, this has the undesirable side-effect of LDAP errors, where even when the first password update succeeds, the subsequent ones fail because they are all identical to the initial password change.

      When we implemented the fix for LPS-67463, these errors were suppressed. However, in order to fix LPS-74160, LDAP errors are no longer suppressed, and the repeated attempts to export the user password ultimately fail.

      Steps To Reproduce (7.0.x)

      1. Start a Docker container with OpenLDAP installed and a password policy with history enabled.
        docker run --name LPS-76332 --detach -p 389:389 holatuwol/liferayissue:LPS-76332
        docker exec LPS-76332 ldapmodify -x -c -D 'cn=admin,cn=config' -w admin -f /postmodify.ldif
      2. Confirm that you can reset the password for test1 to "test1", which is different from their current password "test"
        docker exec LPS-76332 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s test1 'cn=test1,ou=people,dc=example,dc=org'
      3. Confirm that you cannot reset the password for test1 to "test1", which is the same as their current password "test1"
        docker exec LPS-76332 ldappasswd -D 'cn=test,ou=people,dc=example,dc=org' -w test -s test1 'cn=test1,ou=people,dc=example,dc=org'
      4. Start up Liferay and log in as the admin user
      5. Navigate to Control Panel > Configuration > Instance Settings
      6. Select the Authentication section and select the LDAP tab
      7. Choose the option to add an LDAP server
      8. Test the LDAP configuration
        1. Set the name to "localhost"
        2. Select the OpenLDAP radio button and click on the "Reset Values" button
        3. Change the Base DN to "dc=example,dc=org"
        4. Change the Principal to "cn=test,ou=people,dc=example,dc=org"
        5. Change the password to "test"
        6. Click on the "Test LDAP Connection" button
      9. Test the LDAP user import
        1. Click on the "Test LDAP Users" button
      10. Update the LDAP export configuration
        1. Change the Users DN to "ou=people,dc=example,dc=org"
        2. Change the User Default Object Classes to "top,person,organizationalPerson,inetOrgPerson"
        3. Set the Groups DN to blank
      11. Save the configuration
      12. Select the Authentication section and select the LDAP tab
      13. Check the "Enabled" checkbox, the "Required" checkbox, the "Enable Export" checkbox, and the "Use LDAP Password Policy" checkbox and Save
      14. Sign in as test2@liferay.com with the password "test"
      15. Navigate to My Account > Account Settings
      16. Attempt to change your password to "test1"


          Issue Links



              brian.chan Brian Chan
              minhchau.dang Minhchau Dang
              Participants of an Issue:
              Recent user:
              Csaba Turcsan
              0 Vote for this issue
              0 Start watching this issue


                Days since last comment:
                3 years, 22 weeks, 1 day ago


                  Version Package
                  7.0.0 DXP FP35
                  7.0.0 DXP SP7
                  7.0.5 CE GA6
                  7.1.0 M1