Bug 1465600

Summary: PasswordCheckSyntax attribute fails to validate cn, sn, uid and mail attributes
Product: Red Hat Enterprise Linux 7 Reporter: Sankar Ramalingam <sramling>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: amsharma, msauton, nkinder, rmeggins
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-4.el7 Doc Type: Bug Fix
Doc Text:
The Directory Server password policies now work correctly Previously, subtree and user password policies did not use the same default values as the global password policy. As a consequence, Directory Server incorrectly skipped certain syntax checks. This bug has been fixed. As a result, the password policy features work the same for the global configuration and the subtree and user policies.
 Story Points: ---
Clone Of:
: 1489693 (view as bug list) Environment:
Last Closed: 2018-04-10 14:18:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1489693    

Description Sankar Ramalingam 2017-06-27 17:46:50 UTC 
Description of problem: Password policy's PasswordCheckSyntax attribute allows the user to set the password(trivial) which contains cn, sn, mail and uid attributes. This fails for both Global and Fine grain password policy.

Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-16

How reproducible: Consistently

Steps to Reproduce:
1. Install latest of 389-ds-base-1.3.6.1-16 on RHEL-7.4.
2. Create an instance and configure password policy with PasswordCheckSyntax attribute set to on.
3. Add users with cn, sn, uid, mail and userPassword attributes.
4. Run ldapmodify as normal user and replace userPassword with sn, cn, mail or uid attributes of the same user.
5. Trivial value of sn, cn, mail and uid attributes accepted for userPassword.

Actual results: cn, sn,uid and mail attribute values accepted as userPassword when PasswordCheckSyntax is set to on.

Expected results: It should reject the passwords with error 19. Constraint violation

Additional info: Observed from TET Password Policy tests. So, to verify this, we can run password policy tests(select PasswordRunIt) from TET.

Failed tests: pwp_34 only. But, the  following test cases
pwp_36, pwp_37, pwp_38, pwp_104, pwp_105, pwdp_01 and pwdp_02 fail due
to pwp_34 failure.
Comment 3 Sankar Ramalingam 2017-08-08 10:57:46 UTC 
Automated in pytest ./suites/password/regression_test.py
Comment 4 Nathan Kinder 2017-08-29 20:13:35 UTC 
Your examples show that the trivial words check is working with a global policy, but not with a local (fine-grained) policy.  Were you actually defining a local password policy when you enabled nsslapd-policy-local?  If so, did you enable password syntax checking in the local password policy for your tests?
Comment 5 mreynolds 2017-09-01 13:29:25 UTC 
The issue is that when we use local password policies we do not use the same defaults as the global policy.  In this particular case the token length was 0 by default (the global policy is 3), this basically disabled the trivial password check.

This is now fixed upstream via:

https://pagure.io/389-ds-base/issue/49370
Comment 7 Sankar Ramalingam 2017-09-11 12:19:31 UTC 
(In reply to Nathan Kinder from comment #4)
> Your examples show that the trivial words check is working with a global
> policy, but not with a local (fine-grained) policy.  Were you actually
> defining a local password policy when you enabled nsslapd-policy-local?  If
> so, did you enable password syntax checking in the local password policy for
> your tests?

Yes, when I enabled nsslapd-policy-local, I set the value 'PasswordCheckSyntax: on' for the subtree password policy.
Comment 9 Amita Sharma 2017-10-24 09:00:08 UTC 
389-ds-base: 1.3.7.5-6.el7
nss: 3.33.0-2.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 34 items                                                                                                                                    

regression_test.py OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on
INFO:dirsrvtests.tests.suites.password.regression_test:Configure subtree password policy for ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Adding user-uid=UIDpwtest1,ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
.INFO:dirsrvtests.tests.suites.password.regression_test:Deleting user-uid=UIDpwtest1,ou=People,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Reset pwpolicy configuration settings
Instance slapd-standalone1 removed.


============================================================= 34 passed in 9.51 seconds ==============================================================
Comment 10 Amita Sharma 2017-10-24 09:07:32 UTC 
With -v
=======
================================================================ test session starts =================================================================
platform linux2 -- Python 2.7.5, pytest-3.2.3, py-1.4.34, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-693.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.34', 'pytest': '3.2.3', 'pluggy': '0.4.0'}, 'Plugins': {'html': '1.16.0', 'metadata': '1.5.0'}}
DS build: 1.3.7.5
389-ds-base: 1.3.7.5-6.el7
nss: 3.33.0-2.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 34 items                                                                                                                                    

regression_test.py::test_trivial_passw_check[UIDpwtest1] OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on
INFO:dirsrvtests.tests.suites.password.regression_test:Configure subtree password policy for ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Adding user-uid=UIDpwtest1,ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
PASSED
regression_test.py::test_trivial_passw_check[MAILpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
PASSED
regression_test.py::test_trivial_passw_check[GNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[SNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[ZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
PASSED
regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
PASSED
regression_test.py::test_trivial_passw_check[ZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
PASSED
regression_test.py::test_global_vs_local[UIDpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
PASSED
regression_test.py::test_global_vs_local[MAILpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
PASSED
regression_test.py::test_global_vs_local[GNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
PASSED
regression_test.py::test_global_vs_local[SNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[ZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
PASSED
regression_test.py::test_global_vs_local[ZCNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
PASSED
regression_test.py::test_global_vs_local[ZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
PASSED
regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
PASSED
regression_test.py::test_global_vs_local[ZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
PASSEDINFO:dirsrvtests.tests.suites.password.regression_test:Deleting user-uid=UIDpwtest1,ou=People,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Reset pwpolicy configuration settings
Instance slapd-standalone1 removed.


============================================================= 34 passed in 9.56 seconds ==============================================================
Comment 13 errata-xmlrpc 2018-04-10 14:18:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811