Bug 691446

Summary: Account policy plug-in affects the password policy attributes.
Product: [Fedora] Fedora Reporter: Sankar Ramalingam <sramling>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 14CC: edewata, nhosoi, nkinder, rmeggins
Target Milestone: ---Keywords: screened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 697695 (view as bug list) Environment:
Last Closed: 2011-04-21 14:44:20 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 434915, 639035, 697695    

Description Sankar Ramalingam 2011-03-28 11:03:52 EDT
Description of problem: 

Password policy attributes like passwordmaxage fails to function when Account policy plug-in is configured.

Version-Release number of selected component (if applicable): 1.2.8

How reproducible: Consistently

Steps to Reproduce:
1. Set the Global password expiry "ON" and set PasswordMaxage to 30 secs.
2. Configure Global Account policy plug-in and set the AccountInactivityLimit  to 60 secs.
3. User password failed to expire after 30 secs. User is able to successfully login.
4. Wait till the AccountInactivityLimit is reached(60 secs) - Account successfully inactivated. 

Actual results: Account policy plug-in is suppressing the password policy attributes from working.

Expected results: Password policy and Account policy plug-in should work independently.

Additional Info: Password policy attributes work fine when Account policy is not configured.
Comment 4 Nathan Kinder 2011-04-21 14:44:20 EDT
I tried to reproduce this issue, and everything is working as designed.

I believe I know why it looked like it was not behaving correctly.  When using password expiration, the expiration time is reset first time a user does a bind after a password change.  The expiration time is updated by adding the passwordWarning period to the existing expiration time.  By default, this is 1 day.  This means that a password will not expire for 1 day and 30 seconds if you set a 30 second expiration period and you bind within 30 seconds of changing the password (unless you change the passwordWarning value).  I believe that this was happening, which made it look like the Account Policy plug-in was overriding the password policy.  The best way to do this test is to set passwordWarning to 0 in the password policy.  This will ensure that the password expires after 30 seconds as expected.

Closing as NOTABUG.