Bug 1775285

Summary: RFE - Implement the Password Policy attribute "pwdReset".
Product: Red Hat Enterprise Linux 8 Reporter: Têko Mihinto <tmihinto>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 8.0CC: aadhikar, afarley, fcami, jobuckle, mreynolds, msauton, nkinder, pasik, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 Doc Type: Enhancement
Doc Text:
.Directory Server now supports the `pwdReset` operation attribute This enhancement adds support for the `pwdReset` operation attribute to Directory Server. When an administrator changes the password of a user, Directory Server sets `pwdReset` in the user's entry to `true`. As a result, applications can use this attribute to identify if a password of a user has been reset by an administrator. Note that `pwdReset` is an operational attribute and, therefore, users cannot edit it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:07:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1825061    

Description Têko Mihinto 2019-11-21 16:44:35 UTC 
Description of problem:

Most of the LDAP vendors have implemented the pwdReset attribute.
Some customers are relying on this attribute to detect if a password must be changed by the user.

Version-Release number of selected component (if applicable):
RHDS 10.

How reproducible:
Always

Steps to Reproduce:
Requesting the attribute pwdReset returns no result.

Actual results:
pwdReset is not present in RHDS 10.
# grep -i pwdReset /usr/share/dirsrv/schema/*
#

Expected results:
Implement the attribute "pwdReset" from RFC draft-behera-ldap-password-policy

Additional info:
https://tools.ietf.org/html/draft-behera-ldap-password-policy-10
Comment 4 mreynolds 2019-11-21 17:27:50 UTC 
FYI, there is a way to do this now by checking passwordExpirationtime for the EPOCH data (its something like 19700000000001).  This is how the server knows if a password was reset by an Admin.  

Anyway, adding the new attribute should be easy to add to the current password policy, but I don't think we can add any more RFE's to RHEL 7, only in RHEL 8.
Comment 5 François Cami 2019-11-25 12:30:28 UTC 
Hi Têko, could you please confirm with the customer that they have no short-term interest in IDM? If that's the case this bug can stay as RHDS only otherwise we'll have to clone to IDM (if we need additional support for pwReset in IPA itself).
Comment 6 Têko Mihinto 2019-11-25 13:22:35 UTC 
Hi François,

I'm checking with the customer.
I'll update the bug as soon he replies back.

Thanks,
Têko.
Comment 8 Amy Farley 2019-12-11 19:59:10 UTC 
Moving this to RHEL 8 as it cannot be added to RHEL 7 due to lifecycle phase.
Comment 9 mreynolds 2020-02-25 20:41:43 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/50912
Comment 10 mreynolds 2020-02-27 14:18:40 UTC 
Fixed upstream
Comment 15 Akshay Adhikari 2020-06-08 13:27:34 UTC 
There is a new bug filed around this RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1845094
Comment 16 Akshay Adhikari 2020-06-08 13:29:15 UTC 
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.8, pytest-5.4.3, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-211.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.9.0', 'html': '2.1.1'}}
389-ds-base: 1.4.3.8-3.module+el8.3.0+6935+6f68b788
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-11.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.9.0, html-2.1.1
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED                                                                                  [100%]

====================================================================== 1 passed, 2 warnings in 10.72s =======================================================================


Marking as VERIFIED.
Comment 20 errata-xmlrpc 2020-11-04 03:07:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695