Bug 1582092
Summary: | passwordMustChange attribute is not honored by a RO consumer if "Chain on Update" is implemented on the RO consumer | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ming Davies <minyu> |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | aadhikar, gparente, mreynolds, nkinder, pasik, rmeggins |
Target Milestone: | pre-dev-freeze | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.8.4-1.el7 | Doc Type: | Bug Fix |
Doc Text: |
Using the password policy feature works correctly if "chain on update" is enabled
On a Directory Server read-only consumer, the `Password must be changed after reset` password policy setting was not enforced because the flag for marking the user that must change their password is set on the connection itself. If this setting was used with the "chain on update" feature, the flag was lost. As a consequence, the password policy feature did not work. With this update, the server sets the flag on "chain on update" connections properly. As a result, the password policy feature works correctly.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:13:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ming Davies
2018-05-24 08:14:36 UTC
I can reproduce the problem. Opening upstream ticket... Upstream ticket: https://pagure.io/389-ds-base/issue/49751 Build tested: 389-ds-base-1.3.8.4-8.el7.x86_64 Setup: 1) Replication master and consumer 2) passwordMustChange is set to on (Both master and consumer) 3) Create Chain on Update setting as mentioned: https://access.redhat.com/solutions/2743411 4) Restart the consumer Master is on port: 39001 Consumer is on port:39201 [root@qeos-26 ~]# ldapmodify -h localhost -p 39001 -D "cn=Directory Manager" -w password -x -a << EOF > dn: uid=adam1,ou=People,dc=example,dc=com > changetype: modify > replace: userpassword > userpassword: password > EOF modifying entry "uid=adam1,ou=People,dc=example,dc=com" [root@qeos-26 ~]# ldapsearch -h localhost -p 39001 -D "uid=adam1,ou=People,dc=example,dc=com" -b "uid=adam1,ou=People,dc=example,dc=com" -w password # extended LDIF # # LDAPv3 # base <uid=adam1,ou=People,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 53 Server is unwilling to perform control: 2.16.840.1.113730.3.4.4 false MA== [root@qeos-26 ~]# ldapsearch -h localhost -p 39201 -D "uid=adam1,ou=People,dc=example,dc=com" -b "uid=adam1,ou=People,dc=example,dc=com" -w password # extended LDIF # # LDAPv3 # base <uid=adam1,ou=People,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 53 Server is unwilling to perform control: 2.16.840.1.113730.3.4.4 false MA== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3127 |