Bug 681015
| Summary: | RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Noriko Hosoi <nhosoi> | ||||||||
| Component: | Security - Password Policy | Assignee: | Noriko Hosoi <nhosoi> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 1.2.8 | CC: | amsharma, rmeggins | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 681611 689889 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2015-12-07 17:11:47 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 639035, 656390, 681611, 689889 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Noriko Hosoi
2011-02-28 19:46:02 UTC
Created attachment 481460 [details]
git patch file (master)
Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s
format to the fine grained password policy duration attributes.
Note: when adding modifying password policy duration attributes, there is no way to verify the value. If the value is invalid, it's found when the password is evaluated. Without the attached patch, the password evaluation just fails without any error. This patch logs the cause in the error log.
E.g.,
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol
icyContainer,ou=People,dc=example,dc=com
changetype: modify
replace: passwordMaxAge
passwordMaxAge: xyz
$ echo $?
0
$ ldapsearch -D 'uid=tuser0,ou=People,dc=example,dc=com' -w tuser0 -b "dc=example,dc=com" "(cn=*)"
ldapsearch: Password has expired.
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: password expired!
Error log (once the patch is applied):
[28/Feb/2011:14:15:08 -0800] - Password Policy Entrycn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com: Invalid passwordMaxAge: xyz
Created attachment 481753 [details]
git patch file (master)
Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s
format to the fine grained password policy duration attributes:
passwordMinAge, passwordMaxAge, passwordWarning,
passwordLockoutDuration
Valid value for these duraton parameters are
. duration in seconds with no extension
. duration in days, hours, minutes, and seconds with extesion
D|d, H|h, M|m, and S|s, respectively.
The value should be less than MAX_ALLOWED_TIME_IN_SECS - current_time.
Comment on attachment 481753 [details] git patch file (master) https://bugzilla.redhat.com/attachment.cgi?id=481753&action=diff#a/ldap/servers/slapd/modify.c_sec1 this probably won't compile due to the extra comma at the end of the list Other than that, looks good. Thanks for finding it out, Rich! Amazingly, this compiler let me compile it! gcc (GCC) 4.4.5 20101112 (Red Hat 4.4.5-2) But obviously, the comma should not be there. I removed the comma. Pushed to master commit 53839a8b27e92fd04f36401a95b54a2bc1168b88 as well as to 389-ds-base-1.2.8: commit 3e70b878da60d21c07176108cb96648546176646 passwordLockoutDuration attribute is not working with the fine grain password policy. So, I am moving the bug to ASSIGNED state. Its not behaving as expected, if passwordLockoutDuration is set to "1m, 1M, 1d and 2h". This works fine when I set this value in seconds without prefixing it, like (60, 120 and 30). Created attachment 486705 [details]
git patch file (master)
Thanks to Amita for finding out this bug..
Description: passwordLockoutDuration attribute is not working
with the fine grain password policy. The code to parse the
value of passwordLockoutDuration was missing. This patch
adds it.
With this fix, your test case passes 100%.
Reviewed by Nathan (Thank you!!!)
Pushed to master.
$ git merge 681015
Updating 9d5d73c..6ada149
Fast-forward
ldap/servers/slapd/pw.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 736 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
9d5d73c..6ada149 master -> master
commit 6ada149c42dbcce727662927129ae55832def5a0
Author: Noriko Hosoi <nhosoi>
Date: Mon Mar 21 16:44:16 2011 -0700
Bug 681015 - RFE: allow fine grained password policy duration attributes ...
Cherry picked commit 6ada149c42dbcce727662927129ae55832def5a0 and pushed to 389-ds-base-1.2.8, as well.
$ git cherry-pick 6ada149c42dbcce727662927129ae55832def5a0
Finished one cherry-pick.
[ds128-local df7c57c] Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well
1 files changed, 1 insertions(+), 1 deletions(-)
$ git push origin ds128-local:389-ds-base-1.2.8
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 731 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
2ba240b..df7c57c ds128-local -> 389-ds-base-1.2.8
Password startup 100% (1/1) password policy run 100% (305/305) I have automated this in password policy suit of tet. Hence VERIFIED. |