From 4f6e5a07ceaf906fe0acf036ecc2c46c4670ad1b Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Thu, 15 May 2014 17:21:08 +0000
Subject: [PATCH] Forward port fix OPENDJ-1443: OpenDJ returns an "invalid credential:expired" when password has expired even if the expired provided password is wrong
---
opendj-sdk/opendj3-server-dev/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java | 36 +++++++++++++++++++++++++++++++-----
1 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java b/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
index 44f0748..3566458 100644
--- a/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
+++ b/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java
@@ -504,8 +504,9 @@
ERR_BIND_OPERATION_NO_PASSWORD.get());
}
- // Perform a number of password policy state checks for the user.
- checkPasswordPolicyState(userEntry, null);
+ // Perform a number of password policy state checks for the
+ // non-authenticated user.
+ checkUnverifiedPasswordPolicyState(userEntry, null);
// Invoke pre-operation plugins.
if (!invokePreOpPlugins())
@@ -519,6 +520,8 @@
{
setResultCode(ResultCode.SUCCESS);
+ checkVerifiedPasswordPolicyState(userEntry, null);
+
if (DirectoryServer.lockdownMode()
&& (!ClientConnection.hasPrivilege(userEntry,
Privilege.BYPASS_LOCKDOWN)))
@@ -729,7 +732,7 @@
// Account is managed locally: perform password policy checks that will
// need to be completed regardless of whether the authentication was
// successful.
- checkPasswordPolicyState(saslAuthUserEntry, saslHandler);
+ checkUnverifiedPasswordPolicyState(saslAuthUserEntry, saslHandler);
}
}
@@ -741,6 +744,8 @@
{
if (authPolicyState != null && authPolicyState.isPasswordPolicy())
{
+ checkVerifiedPasswordPolicyState(saslAuthUserEntry, saslHandler);
+
PasswordPolicyState pwPolicyState =
(PasswordPolicyState) authPolicyState;
@@ -866,7 +871,8 @@
/**
- * Validates a number of password policy state constraints for the user.
+ * Validates a number of password policy state constraints for the user. This
+ * will be called before the offered credentials are checked.
*
* @param userEntry
* The entry for the user that is authenticating.
@@ -876,7 +882,7 @@
* @throws DirectoryException
* If a problem occurs that should cause the bind to fail.
*/
- protected void checkPasswordPolicyState(
+ protected void checkUnverifiedPasswordPolicyState(
Entry userEntry, SASLMechanismHandler<?> saslHandler)
throws DirectoryException
{
@@ -925,7 +931,27 @@
ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get());
}
}
+ }
+ /**
+ * Perform policy checks for accounts when the credentials are correct.
+ *
+ * @param userEntry
+ * The entry for the user that is authenticating.
+ * @param saslHandler
+ * The SASL mechanism handler if this is a SASL bind, or {@code null}
+ * for a simple bind.
+ * @throws DirectoryException
+ * If a problem occurs that should cause the bind to fail.
+ */
+ protected void checkVerifiedPasswordPolicyState(
+ Entry userEntry, SASLMechanismHandler<?> saslHandler)
+ throws DirectoryException
+ {
+ PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
+ PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();
+
+ boolean isSASLBind = (saslHandler != null);
// Check to see if the user is administratively disabled or locked.
if (pwPolicyState.isDisabled())
--
Gitblit v1.10.0