pwm-project · hsartoris-bard · Jan 14, 2021 · Jan 14, 2021 · Jan 14, 2021 · Jul 9, 2021
diff --git a/server/src/main/java/password/pwm/config/PwmSetting.java b/server/src/main/java/password/pwm/config/PwmSetting.java
@@ -303,6 +303,8 @@ public enum PwmSetting
             "ldap.ignoreUnreachableProfiles", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.LDAP_GLOBAL ),
     LDAP_ENABLE_WIRE_TRACE(
             "ldap.wireTrace.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.LDAP_GLOBAL ),
+    LDAP_ALLOW_AUTH_REQUIRE_NEW_PWD(
+            "ldap.allowAuth.requireNewPassword", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.LDAP_GLOBAL ),
     PASSWORD_SYNC_ENABLE_REPLICA_CHECK(
             "passwordSync.enableReplicaCheck", PwmSettingSyntax.SELECT, PwmSettingCategory.LDAP_GLOBAL ),
 
@@ -1037,8 +1039,6 @@ public enum PwmSetting
     // active directory
     AD_USE_PROXY_FOR_FORGOTTEN(
             "ldap.ad.proxyForgotten", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ACTIVE_DIRECTORY ),
-    AD_ALLOW_AUTH_REQUIRE_NEW_PWD(
-            "ldap.ad.allowAuth.requireNewPassword", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ACTIVE_DIRECTORY ),
     AD_ALLOW_AUTH_EXPIRED(
             "ldap.ad.allowAuth.expired", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ACTIVE_DIRECTORY ),
     AD_ENFORCE_PW_HISTORY_ON_SET(
@@ -1047,9 +1047,6 @@ public enum PwmSetting
     // active directory
     ORACLE_DS_ENABLE_MANIP_ALLOWCHANGETIME(
             "ldap.oracleDS.enable.manipAllowChangeTime", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ORACLE_DS ),
-    ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD(
-            "ldap.oracleDS.allowAuth.requireNewPassword", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ORACLE_DS ),
-
 
     // helpdesk profile
     HELPDESK_ENABLE(
@@ -1246,6 +1243,14 @@ public enum PwmSetting
 
 
     // deprecated.
+
+    // deprecated 2021-01-14
+    AD_ALLOW_AUTH_REQUIRE_NEW_PWD(
+            "ldap.ad.allowAuth.requireNewPassword", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ACTIVE_DIRECTORY ),
+
+    // deprecated 2021-01-14
+    ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD(
+            "ldap.oracleDS.allowAuth.requireNewPassword", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.ORACLE_DS ),
 
     // deprecated 2019-06-01
     PUBLIC_HEALTH_STATS_WEBSERVICES(

diff --git a/server/src/main/java/password/pwm/ldap/auth/LDAPAuthenticationRequest.java b/server/src/main/java/password/pwm/ldap/auth/LDAPAuthenticationRequest.java
@@ -250,36 +250,26 @@ private AuthenticationResult authenticateUserImpl(
                         userIdentity.getLdapProfileID() ).getDirectoryVendor();
                 if ( PwmError.PASSWORD_NEW_PASSWORD_REQUIRED == e.getError() )
                 {
-                    if ( vendor == DirectoryVendor.ACTIVE_DIRECTORY )
-                    {
-                        if ( pwmApplication.getConfig().readSettingAsBoolean( PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD ) )
-                        {
-                            log( PwmLogLevel.DEBUG,
-                                    () -> "auth bind failed, but will allow login due to 'must change password on next login AD error', error: "
-                                            + e.getErrorInformation().toDebugStr() );
-                            allowBindAsUser = false;
-                            permitAuthDespiteError = true;
-                        }
-                    }
-                    else if ( vendor == DirectoryVendor.ORACLE_DS )
+
+                    if ( pwmApplication.getConfig().readSettingAsBoolean(
+                                PwmSetting.LDAP_ALLOW_AUTH_REQUIRE_NEW_PWD ) 
+                            && ( vendor == DirectoryVendor.ACTIVE_DIRECTORY
+                                || vendor == DirectoryVendor.ORACLE_DS
+                                || vendor == DirectoryVendor.OPEN_LDAP ) )
                     {
-                        if ( pwmApplication.getConfig().readSettingAsBoolean(
-                                PwmSetting.ORACLE_DS_ALLOW_AUTH_REQUIRE_NEW_PWD ) )
-                        {
-                            log( PwmLogLevel.DEBUG,
-                                    () -> "auth bind failed, but will allow login due to 'pwdReset' user attribute, error: "
-                                            + e.getErrorInformation().toDebugStr() );
-                            allowBindAsUser = false;
-                            permitAuthDespiteError = true;
-                        }
+                        log( PwmLogLevel.DEBUG,
+                                () -> "auth bind failed, but will allow login due to 'pwdReset=TRUE' or 'pwdLastSet=0', error: "
+                                        + e.getErrorInformation().toDebugStr() );
+                        allowBindAsUser = false;
+                        permitAuthDespiteError = true;
                     }
                 }
                 else if ( PwmError.PASSWORD_EXPIRED == e.getError() )
                 {
                     // handle ad case where password is expired
                     if ( vendor == DirectoryVendor.ACTIVE_DIRECTORY )
                     {
-                        if ( pwmApplication.getConfig().readSettingAsBoolean( PwmSetting.AD_ALLOW_AUTH_REQUIRE_NEW_PWD ) )
+                        if ( pwmApplication.getConfig().readSettingAsBoolean( PwmSetting.LDAP_ALLOW_AUTH_REQUIRE_NEW_PWD ) )
                         {
                             if ( !pwmApplication.getConfig().readSettingAsBoolean( PwmSetting.AD_ALLOW_AUTH_EXPIRED ) )
                             {

diff --git a/server/src/main/resources/password/pwm/config/PwmSetting.xml b/server/src/main/resources/password/pwm/config/PwmSetting.xml
@@ -575,6 +575,17 @@
             <value><![CDATA[]]></value>
         </default>
     </setting>
+    <setting hidden="false" key="ldap.allowAuth.requireNewPassword" level="2" required="true">
+        <default template="AD">
+            <value>true</value>
+        </default>
+        <default template="ORACLE_DS">
+            <value>true</value>
+        </default>
+        <default>
+            <value>false</value>
+        </default>
+    </setting>
     <setting hidden="false" key="passwordLastUpdateAttribute" level="2">
         <ldapPermission actor="proxy" access="write"/>
         <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
@@ -3454,11 +3465,6 @@
             <value>true</value>
         </default>
     </setting>
-    <setting hidden="false" key="ldap.ad.allowAuth.requireNewPassword" level="1" required="true">
-        <default>
-            <value>true</value>
-        </default>
-    </setting>
     <setting hidden="false" key="ldap.ad.allowAuth.expired" level="1" required="true">
         <default>
             <value>false</value>
@@ -3474,11 +3480,6 @@
             <value>true</value>
         </default>
     </setting>
-    <setting hidden="false" key="ldap.oracleDS.allowAuth.requireNewPassword" level="1" required="true">
-        <default>
-            <value>true</value>
-        </default>
-    </setting>
     <setting hidden="false" key="helpdesk.enable" level="1">
         <default>
             <value>false</value>
@@ -4107,6 +4108,18 @@
         <default/>
     </setting>
     <!-- BEGIN DEPRECATED SETTINGS -->
+    <setting hidden="true" key="ldap.oracleDS.allowAuth.requireNewPassword" level="1" required="true">
+        <flag>Deprecated</flag>
+        <default>
+            <value>true</value>
+        </default>
+    </setting>
+    <setting hidden="true" key="ldap.ad.allowAuth.requireNewPassword" level="1" required="true">
+        <flag>Deprecated</flag>
+        <default>
+            <value>true</value>
+        </default>
+    </setting>
     <setting hidden="true" key="password.policy.ADComplexity" level="99" required="false">
         <flag>Deprecated</flag>
         <default>

diff --git a/server/src/main/resources/password/pwm/i18n/PwmSetting.properties b/server/src/main/resources/password/pwm/i18n/PwmSetting.properties
@@ -463,6 +463,7 @@ Setting_Description_knownLocales=List of locales available.  The code is in two
 Setting_Description_ldap.ad.allowAuth.expired=Enable this option to have Active Directory fail an LDAP login attempt when the current date is after the user's password expiration date.  If you enabled this option, the system allows login even though the LDAP bind failed.  The user only can set a new password when this condition occurs.  No other functions are available until the user sets the password (and the system clears this flag).
 Setting_Description_ldap.ad.allowAuth.requireNewPassword=Enable this option to have Active Directory fail an LDAP login attempt when the users "must change password on next login" flag is set.  If you enable this option, the system allows a login even though the LDAP bind failed.  The user only can set a new password when this condition occurs.  No other functions are available until the password has been set (and the system clears this flag).
 Setting_Description_ldap.addObjectClasses=Specify the object classes to automatically add to users who authenticate to the password servlet.  Typically, this is an auxiliary LDAP class that contains attributes used by @PwmAppName@ to store password self-service data.
+Setting_Description_ldap.allowAuth.requireNewPassword=Enable this option to allow login by an account that requires a password reset. The user will immediately be required to set a new password. No other functions are available until the password has been set. This functionality is supported for Active Directory, Oracle DS, and OpenLDAP with the ppolicy module.
 Setting_Description_ldap.ad.enforcePwHistoryOnSet=Enable this option to enforce the password policy during forgotten password when <b>Use Proxy When Password Forgotten</b> is also set to true.  This setting requires that the Active Directory servers be at <b>Windows 2008 Server R2 SP1 or later</b>.  More specifically, it requires that the Active Directory servers support the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) LDAP modification control.
 Setting_Description_ldap.ad.proxyForgotten=Enable this option to have @PwmAppName@ use the LDAP proxy account for LDAP work when the users' forget their passwords.  This is because an LDAP connection is not possible to Active Directory without the users' passwords.  When authenticated in this condition, Active Directory forces the users to change their passwords immediately.
 Setting_Description_ldap.defaultObjectClasses=Specify the object classes of user entries in your LDAP directory.
@@ -997,6 +998,7 @@ Setting_Label_knownLocales=Locales (Languages) and Flags
 Setting_Label_ldap.ad.allowAuth.expired=Allow Authentication When Password Expired
 Setting_Label_ldap.ad.allowAuth.requireNewPassword=Allow Authentication When "Must Change Password On Next Login" Is Set
 Setting_Label_ldap.addObjectClasses=Auto Add Object Classes
+Setting_Label_ldap.allowAuth.requireNewPassword=Allow Authentication When "Must Change Password On Next Login" Is Set
 Setting_Label_ldap.ad.enforcePwHistoryOnSet=Enforce Password Policy During Forgotten Password
 Setting_Label_ldap.ad.proxyForgotten=Use Proxy When Password Forgotten
 Setting_Label_ldap.defaultObjectClasses=User Object Class