You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lécharny (Jira)" <ji...@apache.org> on 2023/04/13 22:48:00 UTC
[jira] [Commented] (DIRSTUDIO-1284) Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
[ https://issues.apache.org/jira/browse/DIRSTUDIO-1284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712121#comment-17712121 ]
Emmanuel Lécharny commented on DIRSTUDIO-1284:
----------------------------------------------
To be clear: when the server implements the Password Policy draft ([https://docs.ldap.com/specs/draft-behera-ldap-password-policy-11.txt),] it is required, for security reasons, that the update is done using a DELETE followed by an ADD. That guarantees that the person changing the password actually *knows* what was the previous password. Otherwise it would be super easy to break in, simply when you have to modify someone password, without any knowledge about the previous password...
See:
{code}
8.2.1. Safe Modification If pwdSafeModify is set to TRUE and if there is an existing password value, the server ensures that the password update operation includes the user's existing password. When the LDAP modify operation is used to modify a password, this is done by specifying both a delete action and an add or replace action, where the delete action specifies the existing password, and the add or replace action specifies the new password. Other password update operations SHOULD employ a similar mechanism. Otherwise this policy will fail. If the existing password is not specified, the server does not process the operation and sends the appropriate response message to the client with the resultCode: insufficientAccessRights (50), and includes the passwordPolicyResponse in the controls field of the response message with the error: mustSupplyOldPassword (4).
{code}
> Error while executing LDIF - [LDAP result code 53 - unwillingToPerform] - Must supply correct old password to change to new one
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSTUDIO-1284
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1284
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-ldifeditor
> Affects Versions: 2.0.0-M17
> Environment: Mac OS 11.4, running on a MacBook Pro (16-inch, 2019)
> Reporter: Katie Golan
> Priority: Major
> Fix For: 2.0.0-M18
>
> Attachments: Screen Shot 2021-07-06 at 9.22.13 AM.jpg, Screen Shot 2021-07-28 at 3.36.39 PM.png, screenshot-1.png
>
>
> The current version of Apache Directory Studio (2.0.0.v20210717-M17) seems to have a bug with password resets. I’ve confirmed that version {{2.0.0.v20200411-M15}} does not have this bug.
> # In Password Editor, the same password is entered for "Enter New Password" and "Confirm New Password"
> # When you click "OK", the following error results:
> "Error while executing LDIF
> - [LDAP result code 53 - unwillingToPerform] Must supply correct old password to change to new one"
>
> * I successfully reset the password for User A on version M15.
> * After upgrading to version M17, I got the above error when attempting a password reset for User A.
> * I then uninstalled Apache, rebooted, and reinstalled version M15.
> * After M15 reinstall, I was able to successfully reset User A's password again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org