View Issue Details

IDProjectCategoryView StatusLast Update
0002913SOGoBackend Generalpublic2015-01-16 12:57
ReporterAltibox Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSRHEL/CentOSOS Version6
Product Version2.2.7 
Target Version2.2.14Fixed in Version2.2.14 
Summary0002913: Login failed due to unhandled error case: -1
Description

I am trying to enable ldap passwordPolicy in SOGo.

We are currently authentication the users from our RHEL 389 directory server. We want to enable password policy to force to users having stronger passwords. I am curently testing it in our lab environment.

Steps To Reproduce
  1. Before - Testing that login and change of password in SOGo works fine.

  2. 389-DS: Enable password policy

    • 389-console: Configuration / Data: Enable fine-grained password policy.
    • 389-console: Directory sub-tree:
      • Create subtree level password policy.
      • Check password syntax: minimum 8 chars, 2 digits, and 3 alpha characters
  3. Was logged-in during enabling of policy.

  4. Trying to change password.

    • new weak password
    • password according to new policy

I get 'password change failed' for both.

  1. Disconnecting and trying to login again:

Now I get: 'Wrong username or password'

/var/log/sogo/sogo.log:
Sep 01 10:12:20 sogod [6198]: |SOGo| starting method 'POST' on uri '/SOGo/connect'
Sep 01 10:12:20 sogod [6198]: <0x0x7f2ed4a342c8[LDAPSource]> <NSException: 0x7f2ed4d86668> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=hansl,ou=people,o=yyyy.net,o=isp,o=altibox,c=no"; }
Sep 01 10:12:20 sogod [6198]: SOGoRootPage Login from 'xx.xx.xx.xx' for user 'hansl@yyyy.net' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Sep 01 10:12:20 sogod [6198]: |SOGo| request took 0.012208 seconds to execute
xx.xx.xx.xx - - [01/Sep/2014:10:12:20 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/53 0.015 - - 0
Sep 01 10:12:42 sogod [6198]: |SOGo| starting method 'POST' on uri '/SOGo/connect'

  1. Enabling passwordPolicy in SOGo

I get this message on the login screen when trying to login:
'Login failed due to unhandled error case: -1'

/var/log/sogo/sogo.log
Sep 01 10:30:35 sogod [7099]: |SOGo| starting method 'POST' on uri '/SOGo/connect'
Sep 01 10:30:35 sogod [7099]: <0x0x7fcd166bd8b8[NGLdapConnection]> bind - ldap_result call result: 97
Sep 01 10:30:35 sogod [7099]: <0x0x7fcd166bd8b8[NGLdapConnection]> bind - ldap_parse_result - ctrls is NULL
Sep 01 10:30:35 sogod [7099]: SOGoRootPage Login from 'xx.xx.xx.xx' for user 'hansl@yyyy.net' might not have worked - password policy: -1 grace: -1 expire: -1 bound: 1
Sep 01 10:30:35 sogod [7099]: |SOGo| request took 0.010639 seconds to execute
xx.xx.xx.xx - - [01/Sep/2014:10:30:35 GMT] "POST /SOGo/connect HTTP/1.1" 403 31/52 0.027 - - 40K

Any ideas on what is wrong?

Additional Information

Running RHEL 6.5 on both servers

389-DS server:
389-admin-console-1.1.8-1.el6.noarch
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
389-admin-1.1.29-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.15-1.el6.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
389-console-1.1.7-1.el6.noarch

SOGo server
sogo-tool-2.2.7-1.centos6.x86_64
sogo-2.2.7-1.centos6.x86_64
sogo-debuginfo-2.2.7-1.centos6.x86_6

TagsNo tags attached.

Activities

ludovic

ludovic

2014-09-02 09:19

administrator   ~0007457

We'll have to test it with 389 DS.

My guess is that data structures used a while back with OpenLDAP need to be slightly adjusted.

ludovic

ludovic

2015-01-05 15:33

administrator   ~0007998

Which openldap libraries are you using?

Altibox

Altibox

2015-01-12 06:22

reporter   ~0008053

We are using: openldap-2.4.23-34.el6_5.1.x86_64

ludovic

ludovic

2015-01-14 10:56

administrator   ~0008076

I can reproduce the issue.

It seems to be a difference in the way 389 ds works regarding password policies and the control object returned.

I'll continue to investigate.

ludovic

ludovic

2015-01-14 16:20

administrator   ~0008082

I fixed the login issue.

I'll fix the password change with ppolicy enabled tomorrow. 389ds definitively works differently than OpenLDAP regarding ppolicy objects.

ludovic

ludovic

2015-01-16 12:57

administrator   ~0008087

The fix for the login was pushed in SOPE. Please update SOPE to test it.

Note that your MUST use LDAP over SSL with 389 DS if you want to use the password policy feature.

Otherwise, the server will NEVER return the policy control object and things like password changes will never work.

The SOGo documentation has been improved in this regard.

Issue History

Date Modified Username Field Change
2014-09-01 09:37 Altibox New Issue
2014-09-02 09:19 ludovic Note Added: 0007457
2014-09-05 15:04 ludovic Target Version => 2.2.9
2014-09-26 09:37 ludovic Target Version 2.2.9 => 2.2.10
2014-11-07 15:41 ludovic Target Version 2.2.10 => 2.2.11
2014-12-04 14:30 ludovic Target Version 2.2.11 => 2.2.12
2014-12-18 09:38 ludovic Target Version 2.2.12 => 2.2.13
2014-12-30 10:28 ludovic Target Version 2.2.13 => 2.2.14
2015-01-05 15:33 ludovic Note Added: 0007998
2015-01-12 06:22 Altibox Note Added: 0008053
2015-01-14 10:56 ludovic Note Added: 0008076
2015-01-14 16:20 ludovic Note Added: 0008082
2015-01-16 12:57 ludovic Note Added: 0008087
2015-01-16 12:57 ludovic Status new => resolved
2015-01-16 12:57 ludovic Fixed in Version => 2.2.14
2015-01-16 12:57 ludovic Resolution open => fixed
2015-01-16 12:57 ludovic Assigned To => ludovic