Bug 1174723

Summary: values for pwdChecker are not set to default values
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: ebenes, jsynacek, mhonek, pkis
Target Milestone: rcKeywords: EasyFix, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: broken logic while handling default configuration values. Consequence: default values in pwdChecker were not set. Fix: underlying code has been fixed. Result: default values are now set correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 08:52:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Spurek 2014-12-16 11:31:17 UTC 
Description of problem:
minPoints value in pwdChecker isn't set to default value.

Documentation says:
minPoints : integer. Default value: 3. Minimum number of quality points a new password must have to be accepted. One quality point is awarded for each character class used in the password.

My use case:
cat > /etc/openldap/check_password.conf <<EOF
minLower 3
EOF

Then 'ldappasswd -H ldap://my-domain.com -a PASSab -s BLABla -D uid=testuser3,dc=my-domain,dc=com -w PASSab -x uid=testuser3,dc=my-domain,dc=com' is allowed but it should fail. 

If I explicitly set 'minPoints 3' then ldappasswd fails:

[test]ldappasswd -H ldap://my-domain.com -a PASSab -s BLABla -D uid=testuser3,dc=my-domain,dc=com -w PASSab -x uid=testuser3,dc=my-domain,dc=com -e ppolicy
Result: Constraint violation (19)
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQU=
ppolicy: error=5 (Password fails quality checks)



Version-Release number of selected component (if applicable):
openldap-2.4.39-3.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 David Spurek 2014-12-16 12:30:28 UTC 
The same situation is for other keywords in /etc/openldap/check_password.conf. If keyword isn't found in a file then its value is set to '-1' instead of default value.
Comment 3 Jan Synacek 2014-12-17 14:44:55 UTC 
Fix in Fedora:
http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=0625d0e5014f6ddcf02e6d6ffed7fa2ba57fd024
Comment 6 Matus Honek 2015-05-25 14:53:16 UTC 
*** Bug 1196243 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2015-11-19 08:52:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2131.html