Bug 567968

Summary: subtree/user level password policy created using 389-ds-console doesn't work.
Product: [Retired] 389 Reporter: Matteo Sessa <matteo.sessa>
Component: Directory ConsoleAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.1CC: jgalipea, nhosoi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:34:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434914    
Attachments:
Description Flags
Proposed patch to 389-ds-console none

Description Matteo Sessa 2010-02-24 13:44:36 UTC 
Created attachment 396063 [details]
Proposed patch to 389-ds-console

Description of problem:
389-ds-console ( 389-ds-1.2.jar ) still use double quotes to wrap target DN when creating fine grained password policies.

GUI Procedure create nsPwPolicy_CoS,nsPwPolicyContainer and PwPolicyEntry correctly but then fail silently during nsPwTemplateEntry creation.

Password policy structure require nsPwTemplateEntry to reference PwPolicyEntry's DN into pwdpolicysubentry attribute, but, double quotes escaping is not accepted by 1.3.6.1.4.1.1466.115.121.1.12 (DN) syntax, enforced on pwdpolicysubentry attribute.

If I set nsslapd-syntaxcheck:off on cn=config password policy GUI create nsPwTemplateEntry correctly and policies work fine.

Attached is a patch for 389-ds-console to change the way entries CNs are written, it now works accordingly to ns-newpwpolicy.pl syntax thus quoting commas on CN. example:

before patch:
cn="cn=nsPwPolicyEntry,ou=test,o=example.com",cn=nsPwPolicyContainer,ou=test,o=example.com

after patch:
cn=cn=nsPwPolicyEntry\,ou=test\,o=example.com,cn=nsPwPolicyContainer,ou=test,o=example.com

Version-Release number of selected component (if applicable):

389-ds-base-1.2.5-1.el5
389-ds-console-1.2.0-5.el5


Steps to Reproduce:
Ensure nsslapd-syntaxcheck is set to "on", enable fine-grained password policies on Data, create a subtree policy, check if nsPwTemplateEntry is  correctly created.


Actual results:
nsPwTemplateEntry is not present

Expected results:
nsPwTemplateEntry is present and has pwdpolicysubentry attribute referencing PwPolicyEntry.

Additional info:
This issue is indirectly referenced by Bug 504817
Comment 2 Noriko Hosoi 2010-04-27 21:50:00 UTC 
Fixed with this change:
  commit 78c50664d6421cc5d0836bb03820680dc2cb7acf
  Author: Noriko Hosoi <nhosoi>
  Date:   Mon Apr 26 11:03:52 2010 -0700
    Update to New DN Format
Comment 3 Jenny Severance 2010-05-17 14:33:08 UTC 
verified - RHEL 4

version: 

redhat-ds-base-8.2.0-2010051204.el4dsrv
redhat-ds-console-8.2.0-2.el4dsrv

ldapsearch -x -h hostname.company.com -p 389 -D "cn=Directory Manager" -w Secret -b "cn=config" | grep syntaxcheck
nsslapd-syntaxcheck: on

Successfully created global, subtree and user password policies from console.