Bug 1378461
Summary: | IPA Allows Password Reuse with History value defined when admin resets the password. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Arya Rajendran <arajendr> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Varun Mylaraiah <mvarun> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.1 | CC: | apetrova, arajendr, kresss, mbabinsk, mvarun, pvoborni, rcritten, tbordaz | |
Target Milestone: | rc | Flags: | arajendr:
needinfo-
|
|
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1509918 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:42:02 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1509918 |
Description
Arya Rajendran
2016-09-22 13:12:53 UTC
IMO this is expected. Password reset by admin ignores password policy. Testing on master branch, the password updates conform what is documented: Creating a user, enable the global password policy with history (6). Directory manager assign password: value0 Being bound as the user, assign: value1 .. Being bound as the user, assign: value6 Directory manager assign password: value7 Being bound as the user(with value7 password), update the password to set: value4 it fails: Constraint violation (19) additional info: password in history would it be possible to get more detailed reproducible steps (especially with the effective values set for the password). Also before updating the password, could you provide ldapsearch -D "cn=directory manager" -w xxxx -b "<user_dn" nscpentrywsi Then the same command after the update of the password. Thierry, the difference can be that you used LDAP-only way. I can reproduce with the steps from comment 3: [pvoborni@test ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ---------------------------------------------------------------------- Changed password for "fbar" ---------------------------------------------------------------------- [pvoborni@test ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [pvoborni@test ~]$ kdestroy -A [pvoborni@test ~]$ kinit admin Password for admin: [pvoborni@test ~]$ ipa passwd fbar New Password: Enter New Password again to verify: ---------------------------------------------------------------------- Changed password for "fbar" ---------------------------------------------------------------------- [pvoborni@test ~]$ kdestroy -A [pvoborni@test ~]$ kinit admin Password for admin: kinit: Password read interrupted while getting initial credentials [pvoborni@test ~]$ kinit fbar Password for fbar: Password expired. You must change it now. Enter new password: Enter it again: in short: value1 - set value1 - try to reuse - fail value2 - set by admin - success value1 - reused - success Upstream ticket: https://fedorahosted.org/freeipa/ticket/6402 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448 Verified ipa-server-4.5.0-13.el7.x86_64 # ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 10 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 # ipa passwd user1 New Password: Enter New Password again to verify: # kdestroy -A # kinit user1 Password for user1: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: New password was used previously. Please choose a different password.. Please try again. Enter new password: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |