Looks it does not work with Plone self registration (enable self-registration at @@secuirty-controlpanel) in combination with LDAP

[petersta]

Using Plone 4.3.3 with OpenLDAP (that works fine) and collective.pwexpiry 0.9.1 is installed
User can do self-registration and choose own password.
When registration is done and user is added into the ldap, user is prompted to sign in immediately (as normal). Once user logs in he gets directly an message that his password is expired and need to reset the password. When he is doing that and actived his new password (agian so now the 2nd time!). He still gets message password expired.
Collective.pwexpiry gives also an error in patches.py in extended_validate_registration KeyError: password. I am using a bypass with try: except so i get Return original for this function...

Any help is appreciated. I played around with the ordering of the plugins in many ways, but I got never a successful implementation of:

• check history of password (in configuration registry setting of password_history_size = 5)
• number of login failures (in configuration registry setting of allowed_tries = 3)

I got the validaty period working okay with the notification_and_expire.py script.

• number of days for password validaty (in configuration registry setting of validity_period = 1)

Plugin pwexpiry causes and error on User_Adder (doAddUser) when the plugin is before the LDAP plugin. When user is doing a self registration it gets the Error message "Error: doAdder" and the text of a sucessful registration (which did not happen).

It looks that the Patch is also causing extra complications.
I create also a MyPasswordValidator using the documented example and registered that in the zcml.

I am lost now....

[petersta]

Sometimes you find yourself what the issue is. 😃

It turned out that Products.PasswordStrength was hindering a proper functioning of collective.pwexpiry. After I deleted Products.PasswordStrength from installed Add-on products, from buildout and the eggs directory (just to make sure nothing was there)... all was working as intended.

The issue that your password gets immediately expired when using Plone's user self-registration and the option that the user can also define its own password is not yet solved. I think the reason is that collective.pwexpiry adds an user property called password_date, which is by default initially set to value 2000/01/01. The original register.py program of plone.app.users does not know that property, so it cannot update the initial password date, therefore pwexpiry demands you to immediately set a new password (password expired as it sees 2000/01/01...

Hmmm, I need to figure out how to solve that without too much hassle...

But maybe you find this useful information.

[petersta]

Last X Passwords check = the password history function of collective.pwexpiry works nicely when your store users and groups in Zope, but when you use OpenLDAP with plone.app.ldap then it does not work

The registry parameter password_history_size is set to 5, but that part of the plugin is not invoked. I need to do more testing and debugging (after my holiday...).

[frisi]

good luck @petersta - and have a nice holiday.

what we learned when using multiple authentication plugins was that it can be a lot of work to get them working together - since they sometimes path the same methods/scripts/forms

pwexiry also offers kind of the same functionality as Products.PasswordStrength (see discussion in #5 for more details) so you might want to not use passwordstrength at all.

as pwexpiry does not claim to work with plone.app.ldap i don't think this is an issue that should stay open.
of course, if you can manage to get it working a pull request is appreciated.

@frapell would you also vote for closing this ticket in the meantime.

[frapell]

@petersta Thanks for reporting this! (And hope you have a nice holiday ;) )

Yeah, I would agree with you @frisi, however, we are using this in several projects along with ldap and I'm not aware of missing functionality, I will need to do some experiments, but don't have the time atm...

Also, being that it is fairly common for ldap to be used, I think it makes sense that this product plays nice with it, so I would leave it open for now, so I (or anyone else willing to do so :) ) can put some time into it to verify everything works fine (And also, why not, add a note in the readme about PasswordStrength)