Bug 1676699

Summary: dsconf allows to set an empty password for Directory Manager
Product: Red Hat Enterprise Linux 8 Reporter: Viktor Ashirov <vashirov>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: high    
Version: 8.0CC: lkrispen, nkinder, pasik, spichugi, tbordaz, vashirov
Target Milestone: rcFlags: vashirov: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.2.4-5.module+el8.2.0+5439+e9855ef3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:01:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683259    
Bug Blocks:    

Description Viktor Ashirov 2019-02-12 21:43:48 UTC 
Description of problem:

dsconf allows to set an empty password for Directory Manager

Version-Release number of selected component (if applicable):
389-ds-base-1.4.0.20-7.module+el8+2750+1f4079fb.x86_64


How reproducible:


Steps to Reproduce:
1. Create an instance using dscreate
2. Change the password for DM:
# dsconf localhost directory_manager password_change
Enter new directory manager password : 
CONFIRM - Enter new directory manager password : 


Actual results:
The password is set to empty value. In the audit log (with nsslapd-rootpwstoragescheme: CLEAR):

time: 20190212162039
dn: cn=config
result: 0
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw:
-
replace: modifiersname
modifiersname: cn=Directory Manager
-
replace: modifytimestamp
modifytimestamp: 20190212212039Z
-


Expected results:
It should be not allowed to set an empty password for DM. 

Additional info:
Comment 1 mreynolds 2019-06-27 15:51:36 UTC 
Should enforce password minlength
Comment 4 mreynolds 2020-01-13 22:48:11 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/50816
Comment 6 Viktor Ashirov 2020-01-22 20:38:54 UTC 
Build tested: 389-ds-base-1.4.2.4-6.module+el8.2.0+5509+885f7879.x86_64.rpm

# dsconf localhost directory_manager password_change
Enter new directory manager password : <empty>
CONFIRM - Enter new directory manager password : <empty>
Error: You can not set the Directory Manager password to nothing

Empty password is not allowed, marking as VERIFIED.
Comment 8 errata-xmlrpc 2020-04-28 16:01:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1703