-
Notifications
You must be signed in to change notification settings - Fork 448
bind response - password expiring overrides force password change #770
Comments
How does this relate to the |
because I'm using ldapjs package for all LDAP related code |
Please provide a minimal reproduction. It is not at all clear what issue you are presenting. |
ok, I'll try to clarify. I'm using Client.bind() method of the package. The signature of the method is: The callback returns error in case of bind failure and 'result' with additional info in case of bind success. When LDAP feature 'force password change' is set, when user should reset his password, his bind 'result' field indicates that by setting a field in 'result', called 'controls', with a 'controlType' attribute set to 2.16.840.1.113730.3.4.4. The problem is, that when a user should change his password and he's also in the password expiring warning interval, the bind 'result' field indicates only the password expiring warning (by setting 'controlType' to 2.16.840.1.113730.3.4.5), and the force password change indication is not there. It's a major problem, because if I don't get the 'controlType' of the force password reset, I don't know I should block this user login. |
The client receives responses from the server and passes them along to your code. Unless you can provide a minimal reproduction to show there is an error in the |
You are right. It's the behavior of the server, and not an error in ldapjs. The purpose here is probably to use the 'controls' argument in ldapjs bind method, to explicitly request the password policy controls of the user.
but it throws the exception: What is the right syntax to use? |
Hi, |
What does the documentation state? |
So does your example provide an array of controls? |
This project does not provide any "types file". Please review the tests for sample usages. For example: node-ldapjs/test/client.test.js Lines 581 to 591 in 1f85db9
|
What do you mean This project does not provide any "types file"?
|
I don't know how to be any clearer: |
This project is a JavaScript project. If you use it with TypeScript then anything pertaining to TypeScript is up to you. As for the original question, I think we have covered the usage of controls through reading the documentation and unit tests. Is this the case? |
types are provided by Follow the directions in the error message:
|
If you have an issue with the types in @types/ldapjs you can create an issue on the DefinitelyTyped repo. |
Hi, I think this thread has revolted on Typescript when it's not part of the issue at all, only that is not being helpful restricting the type, so it allowed @ShlomitGilo1 to make a mistake. The actual issue seems to be that @ShlomitGilo1 is using a POJO (plain old JS object), when the ldapjs library requires an actual instance of the You can see this in:
|
Yes. The docs need a lot of attention. |
ok, I got over the ts issue, and now I'm able to use the controls argument. Great. BUT for providing it in the search request I get the exception: and for providing it in the bind request I get back the same value I sent in the request: What am I missing here?? how can I get 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5 in the response? |
Your server told you: |
👋 On February 22, 2023, we released version 3 of this library. As a result, we are closing this issue/pull request. Please see issue #839 for more information, including how to proceed if you feel this closure is in error. |
Hi!
I'm implementing the feature of forcing password change on first login, when a user is added or when admin is changing user's password.
I set ds-cfg-force-change-on-add and ds-cfg-force-change-on-reset to true, and following the spec, which defines:
10. Password Change After Reset
This policy forces the user to select a new password on first bind or after password reset. After bind operation succeed with authentication, the server should check if the password change after reset policy is on and this is the first time logon. If so, the server should send bindResponse with the resultCode: LDAP_SUCCESS, and should include the password expired control in the controls field of the bindResponse message:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
Indeed, when I call Client.bind, I get return value LDAP_SUCCESS, and the controls field as defined in the spec.
BUT -
when I call Client.bind when the user is within its password expiration warning interval, I get the controls field only with the password expiring controlType (2.16.840.1.113730.3.4.5). I would expect to get both controlType elements (controls is an array), but 2.16.840.1.113730.3.4.4 is not there.
This is a major problem because if the controlType 2.16.840.1.113730.3.4.4 is not there - the user will be able to login although he supposed to be not.
What am I missing here?
Thanks.
The text was updated successfully, but these errors were encountered: