Bug 627993
Summary: | RFE: allow global password policy duration attributes in days, hours, minutes, as well | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Gerhardus Geldenhuis <gerhardus.geldenhuis> | ||||
Component: | Security - Password Policy | Assignee: | Noriko Hosoi <nhosoi> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 1.2.6 | CC: | amsharma, evinco, jgalipea, nhosoi | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-12-07 17:16:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 639035 | ||||||
Attachments: |
|
Description
Gerhardus Geldenhuis
2010-08-27 15:47:59 UTC
The same goes for password retry settings: changetype: modify replace: passwordLockout passwordLockout: on - replace: passwordMaxFailure passwordMaxFailure: 5 - replace: passwordLockoutDuration passwordLockoutDuration: 1800 - replace: passwordResetFailureCount passwordResetFailureCount: 660 (In reply to comment #0) > Description of problem: > Some values set in the password policy is stored in seconds while other > password policies is stored in days. Actually, there are no inconsistencies there. The first 2: passwordMaxAge and passwordWarning are in seconds. And the 3-rd: passwordGraceLimit is a number of grace logins. FYI: passwordGraceLimit This attribute indicates the number of grace logins permitted when a user's password is expired. When set to a positive number, the user will be allowed to bind with the expired password for that many times. For the global password policy, the attribute is defined under cn=config. By default, this attribute is set to 0, which means grace logins are not permitted. You can find the description here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes In the comment 1 (https://bugzilla.redhat.com/show_bug.cgi?id=627993#c1) The value of passwordMaxFailure and passwordResetFailureCount is number/count. The value of passwordLockoutDuration is in seconds. All the values which represent the time duration are in seconds. Created attachment 474376 [details]
git patch file (master)
The attached patch allows passwordLockoutDuration, passwordResetFailureCount, passwordMaxAge, passwordMinAge, passwordWarning to have <days>D|d, <hours>H|h, <min>M|m, and <sec>S|s in addition to the current representation <sec> in seconds.
For instance, this is allowed instead of 3600:
passwordLockoutDuration: 1H
or this for 8640000:
passwordMaxAge: 100d
Thanks to Rich for reviewing the patch. Pushed to master. $ git merge 627993 Updating f1899ba..5727b88 Fast-forward ldap/servers/slapd/libglobs.c | 50 +++++++-------------- ldap/servers/slapd/slapi-private.h | 6 +-- ldap/servers/slapd/time.c | 85 +++++++++++++++++++++++++++++++++++- 3 files changed, 102 insertions(+), 39 deletions(-) $ git push Counting objects: 15, done. Delta compression using up to 2 threads. Compressing objects: 100% (8/8), done. Writing objects: 100% (8/8), 1.77 KiB, done. Total 8 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git f1899ba..5727b88 master -> master Note: search returns the duration values in seconds even if the value is in days in the config file. We should change the behavior once the Console is adjusted to the new representation. # grep passwordMaxAge /etc/dirsrv/slapd-ID/dse.ldif passwordMaxAge: 100D ldapsearch ... -b "cn=config" -s base "(cn=*)" passwordMaxAge dn: cn=config passwordMaxAge: 8640000 That is really awesome, thanks for working on this. The solution is better than I had wished for. One clarification: * ldapsearch will still return values in seconds pending an update to the console, where after it will return values as it was set. Eg 100d. Best Regards Thank you for your bug report! It gave us this chance to revisit the representation. Please continue sharing your thoughts with us. Additional fix: Commit made in 5727b8899700f574026bc9be5a1990c4c66619cf introduced a bug. The commit removed 2 functions format_genTime and parse_genTime from slapi-private.h. But they are used in plugins, which requires them in the header file. This fix restores the function declarations. $ git merge work Updating 5727b88..68bc0a4 Fast-forward ldap/servers/slapd/slapi-private.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) $ git push Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 753 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5727b88..68bc0a4 master -> master Related bug: Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well https://bugzilla.redhat.com/show_bug.cgi?id=681015 Password startup 100% (1/1) password policy run 100% (305/305) I have automated this in password policy suit of tet. Hence VERIFIED. |