Bug 834060
| Summary: | passwordMaxFailure should lockout password one sooner - and should be configurable to avoid regressions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Nathan Kinder <nkinder> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED ERRATA | QA Contact: | Sankar Ramalingam <sramling> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | jgalipea, jrusnack, mreynolds, pep, rgodinez |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.11.12-1.el6 | Doc Type: | Enhancement |
| Doc Text: |
Feature: password policy
Reason: To be consistent with other vendor's ldap servers
Result (if any): Added new config option to specfiy which behavior you want.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:19:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nathan Kinder
2012-06-20 18:08:18 UTC
*** Bug 740527 has been marked as a duplicate of this bug. *** This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. Steps to verify: 1) Enable password lockout: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordLockout passwordLockout: on EOF 2) Set password max failure to 3: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordMaxFailure passwordMaxFailure: 3 EOF 3) Set passwordLegacyPolicy to off: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordLegacyPolicy passwordLegacyPolicy: off EOF 4) Add user: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: $MYDN objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: test user0 sn: user0 givenName: test userPassword: password EOF 5) Try to bind 2 times with incorrect password and check that return code is 49: ldapsearch -h localhost -p 22222 -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 49 $LDAPSEARCH -h $LDAPhost -p $LDAPport -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 49 6) Try to bind third time with incorrect password: $LDAPSEARCH -h $LDAPhost -p $LDAPport -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 19 [jrusnack@dstet 6.0]$ rpm -qa | grep 389 389-ds-base-1.2.11.15-2.el6.x86_64 Verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html |