Bug 834047
| Summary: | Fine Grained Password policy: if passwordHistory is on, deleting the password fails. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Nathan Kinder <nkinder> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED ERRATA | QA Contact: | Sankar Ramalingam <sramling> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | jgalipea, jrusnack, nhosoi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.11.12-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Internal access control prohibited deleting newly added/modified passwords.
Consequence: Falied to delete newly added/modified passwords.
Fix: Allow the password deletion if the operation has the modify right.
Result: Deleting newly added/modified passwords is successful.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:18:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nathan Kinder
2012-06-20 17:51:32 UTC
Steps to verify: Acceptance Password (pwdpolicy/pwpolicy): trac45 This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. IP=192.168.122.185 PORT=22222 ROOT="dc=example,dc=com" TESTPEOPLE_DN="ou=people,$ROOT" 1) Add user [jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: uid=test_user0,$TESTPEOPLE_DN objectClass: top objectClass: person objectClass: inetorgperson objectClass: organizationalPerson uid: test_user0 cn: test0 sn: user0 userPassword: password EOF adding new entry "uid=test_user0,ou=people,dc=example,dc=com" 2) Add local password policy [jrusnack@dstet dstet]$ /usr/lib64/dirsrv/slapd-dstet/ns-newpwpolicy.pl -D "cn=directory manager" -w Secret123 -p $PORT -h $IP -S "$TESTPEOPLE_DN" adding new entry "cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" adding new entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" adding new entry "cn=cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" adding new entry "cn=nsPwPolicy_cos,ou=people,dc=example,dc=com" modifying entry "cn=config" 3) Set passwordHistory [jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF dn: cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com changetype: modify replace: passwordHistory passwordhistory: on - replace: passwordInHistory passwordInHistory: 6 - replace: passwordChange passwordChange: on EOF modifying entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" 4) Restart /usr/lib64/dirsrv/slapd-dstet/restart-slapd 5) Verify [jrusnack@dstet dstet]$ ldapmodify -x -h $IP -p $PORT -D "uid=test_user0,$TESTPEOPLE_DN" -w password -v <<EOF dn: uid=test_user0,$TESTPEOPLE_DN changetype: modify delete: userPassword userPassword: password EOF ldap_initialize( ldap://192.168.122.185:22222 ) delete userPassword: password modifying entry "uid=test_user0,ou=people,dc=example,dc=com" ldap_modify: Insufficient access (50) additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=people,dc=example,dc=com'. Version: [jrusnack@dstet dstet]$ rpm -qa | grep 389 389-ds-base-libs-1.2.11.15-3.el6.x86_64 389-ds-base-1.2.11.15-3.el6.x86_64 Additional info: see trac ticket #455 https://fedorahosted.org/389/ticket/455 The Milestone of the ticket #455 is 1.3.0.rc1. So, the fix is not included in 1.2.11. ticket #455 https://fedorahosted.org/389/ticket/455 Milestone: 1.3.0.rc1 They are related, but #45 and #455 are different 2 bugs... Putting this back into ON_QA state. The original issue was fixed as a part of ticket #45, and ticket #455 is being dealt with in a later release of RHEL. 520|0 136 19111 1 1|trac45: resetting the test env 520|0 136 19111 1 2|trac45: add a test user uid=tuser0,ou=people,dc=example,dc=com 520|0 136 19111 1 3|trac45: add a fine grained password policy for the user 520|0 136 19111 1 4|trac45: set password history on 520|0 136 19111 1 5|trac45: delete userpassword 520|0 136 19111 1 6|trac45: add the same userpassword 520|0 136 19111 1 7|trac45: replace userpassword with the same one again 520|0 136 19111 1 8|trac45: set password history off 520|0 136 19111 1 9|trac45: removing the test user 520|0 136 19111 1 10|TestCase [trac45] result-> [PASS] 220|0 136 0 05:44:13|PASS DS version: 389-ds-base-1.2.11.15-4.el6.x86_64 VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html |