Bug 553736

Summary: Local password policy should intelligently set default password storage scheme
Product: [Community] 389 Reporter: Chris St. Pierre <cstpierr>
Component: Security - Password PolicyAssignee: Rich Megginson <rmeggins>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: medium    
Version: 1.2.1CC: benl, jgalipea, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-27 11:31:46 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 434915    

Description Chris St. Pierre 2010-01-08 14:15:40 EST
If a new local password policy is created without a passwordStorageScheme attribute, then the password history will not work.  It seems, intuitively, like either the global storage scheme or the default storage scheme should apply to the local policy, rather than requiring a scheme to be explicitly set.  Or, failing that, ns-newpwpolicy.pl should probably create a default passwordStorageScheme
attribute.

Some comments from bug #553455:

--- Comment #5 from Nathan Kinder <nkinder@redhat.com>  2010-01-08 13:34:20 EDT ---
(In reply to comment #4)
> It seems, intuitively, like either the global storage scheme or the default
> storage scheme should apply to the local policy.  If not, then
> ns-newpwpolicy.pl should probably create a default passwordStorageScheme
> attribute.

I tend to agree, though I am concerned about changing the behavior.  We could
make the storage scheme of the local policy inherit from the global policy if
it is not set locally, but this would have the effect of changing the result of
user's existing policies after an upgrade.  It is probably unlikely that
someone is depending on the current behaviour to enforce clear passwords
without explicitly specifying the storage scheme, but we have no way of knowing
for sure.

The ns-newpwpolicy.pl script could also be easily modified to add a default
storage scheme, but we don't add any other policy values.  Perhaps the proper
thing is to make the default storage scheme for a local policy SSHA when the
"passwordStorageScheme" value is not set.  This is in line with the way the
global policy works.

--- Comment #6 from Rich Megginson <rmeggins@redhat.com>  2010-01-08 13:43:31 EDT ---
This has been a problem from day one - everyone intuitively expects the local
password policy to inherit from the global password policy for fields that are
not specified at the local level.  I seriously doubt someone is relying on the
existing behavior, fully understanding how it is supposed to work.  But that is
a separate issue - an enhancement request.  I think it could be made to work by
changing new_passwdPolicy to simply copy the settings from the global policy
when creating the local policy object.
Comment 2 Jenny Galipeau 2010-01-19 12:34:10 EST
*** Bug 554419 has been marked as a duplicate of this bug. ***
Comment 3 Rich Megginson 2010-09-27 11:31:46 EDT

*** This bug has been marked as a duplicate of bug 190862 ***