| Summary: | Overlay ppolicy MinAge and MaxAge options don't work | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||||
| Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.2 | CC: | dspurek, ebenes, jplans, jvcelak, omoris, tsmetana | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-09-29 08:38:00 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 525133 [details]
data.ldif
I'm unable to reproduce on openldap-servers-2.4.23-19.el6 (the same version).
The configuration is unaltered (except for olcRootPW). I created reproducer.sh to run all the commands. Multiple runs, always the same result:
# ./reproduce.sh
+ DN=dc=my-domain,dc=com
+ echo == PREP ==
== PREP ==
+ ldapmodify -D cn=Manager,dc=my-domain,dc=com -w password -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"
+ echo 0
0
+ sleep 6
+ echo '== MIN AGE =='
== MIN AGE ==
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 123456 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"
+ echo 0
0
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 12345678 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"
ldap_modify: Constraint violation (19)
additional info: Password is too young to change
+ echo 19
19
+ sleep 6
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 12345678 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"
+ echo 0
0
+ echo '== MAX AGE =='
== MAX AGE ==
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
ldap_bind: Invalid credentials (49)
+ echo 49
49
Please, can you recheck?
I recheck this. I am sorry to you, but it isn't problem with openldap. The problem is with beaker, sometimes happened one or two seconds delay between run the commands, then this time addict test fails. |
Created attachment 525132 [details] Slapd configuration file for slaptest Description of problem: I think it is a regression, because the test cases works fine on RHEL 6.1. Version-Release number of selected component (if applicable): openldap-servers-2.4.23-19.el6 How reproducible: always Steps to Reproduce: 1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ (slapd.conf is in attachement) 2.slapadd -l data.ldif (data.ldif is in attachement) 3.Test MinAge: - Change the password. echo "dn: uid=ldap1,ou=People,$DN" > mod.ldif echo "changetype: modify" >> mod.ldif echo "replace: userPassword" >> mod.ldif echo "userPassword: 12345678" >> mod.ldif rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 123456 -x -f mod.ldif" 0 rm -f mod.ldif - MinAge should apply. echo "dn: uid=ldap1,ou=People,$DN" > mod.ldif echo "changetype: modify" >> mod.ldif echo "replace: userPassword" >> mod.ldif echo "userPassword: 1234567" >> mod.ldif rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 12345678 -x -f mod.ldif" 19 rm -f mod.ldif - MinAge should not apply. sleep 6 echo "dn: uid=ldap1,ou=People,$DN" > mod.ldif echo "changetype: modify" >> mod.ldif echo "replace: userPassword" >> mod.ldif echo "userPassword: 1234567" >> mod.ldif rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 12345678 -x -f mod.ldif" 0 rm -f mod.ldif 4. Test MaxAge: # Password should be still valid. sleep 6 rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0 # Password should be expired, but graceLimit allows 1. sleep 6 rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0 # Password should be expired, but graceLimit allows 2. sleep 6 rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0 # Password should be expired and gracelimit expired 3. sleep 6 rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 49 Actual results: FAIL in test cases MinAge should apply, MinAge should not apply and Password should be expired, but graceLimit allows 2. Expected results: Failing three test cases works fine (as on RHEL 6.1)