Bug 802786

Summary: FreeIPA WebUI displays "Insufficient access: invalid credentials" when a password doesn't meet policy requirements
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jgalipea, mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-8.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:20:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2012-03-13 14:09:56 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2315

FreeIPA WebUI displays "Insufficient access: invalid credentials" when a password doesn't meet policy requirements...

This is an issue post migration to FreeIPA as many users would like to be able to reset their passwords, and they believe the error is actually due to their permissions when in fact it is not.

Could this webui fix be back ported to 2.1.x?
Comment 1 Rob Crittenden 2012-03-13 18:54:04 UTC 
Yes, the password change part from 2315 is relatively short (the patch includes other unrelated changes).

This also requires the patch from ticket https://fedorahosted.org/freeipa/ticket/2067 which includes the correct reason for rejecting a password change. This one will require a bit of work as the password plugin changed quite between 2.1 and 2.2.
Comment 2 Jenny Severance 2012-03-20 19:17:23 UTC 
Please add steps to reproduce this issue. Thanks
Comment 3 Rob Crittenden 2012-03-20 21:13:21 UTC 
Update the password policy to set things like min length, number of character sets, etc.

In the UI log in as a user and change your own password to something that doesn't meet this criteria. You should get a reasonable error message back.
Comment 4 Martin Kosek 2012-03-30 06:59:10 UTC 
Fixed upstream:

master: b73fc6e550fed9a1b6d83a03fa16f43b361ec8aa
ipa-2-2: afa1ab99cdb4313266aa8791fe8c543694a64790
Comment 11 Martin Kosek 2012-04-30 12:43:33 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 12 Namita Soman 2012-05-03 13:44:01 UTC 
Verified using ipa-server-2.2.0-12.el6.x86_64

The user tried to reset their password to a 2 char password, and got error:
Constraint violation: Password is too short
Comment 14 errata-xmlrpc 2012-06-20 13:20:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html