Bug 918701

Summary: Insufficient rights to unhashed#user#password when user deletes his password
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: amsharma, jgalipea, nhosoi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.1.2-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: The ACI code evaluated system pseudo attributes. Consequence: Deleting a user password failed under some condition. Fix: The ACI code properly skips evaluating system pseudo attributes. Result: Deleting a user password succeeds when it is allowed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:02:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2013-03-06 18:14:52 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/455

See also related https://fedorahosted.org/389/ticket/45.

Steps to reproduce:

1) Set local password policy entry:
dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
   cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
...
passwordStorageScheme: CLEAR
passwordChange: on
...

2) Add new user to ou=People,dc=example,dc=com

ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager -a <<EOF
dn: uid=test_user1,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user1
cn: test1
sn: user1
userPassword: testpassword
EOF

3) Try to delete user`s password:

ldapmodify -h localhost -p 389 -D "uid=test_user1,ou=People,dc=example,dc=com" -w testpassword <<EOF
dn: uid=test_user0,ou=People,dc=example,dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

Deleting password with password supplied for user uid=test_user0,ou=People,dc=example,dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=People,dc=example,dc=com'.



DS version: 389-ds-base-1.2.11.13-1.el6.x86_64

This is already covered by pwdmodify/pwdmodify-qa.sh bug834047_1
Comment 1 Rich Megginson 2013-10-01 23:26:01 UTC 
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 3 Amita Sharma 2013-11-11 04:19:36 UTC 
RHEL7 Report :: http://wiki.idm.lab.bos.redhat.com/qa/archive/beaker/RHEL-7.0-20131018.0/x86_64/389-ds-base-1.3.1.6-7.el7.x86_64/output/Linux/20131031-011409/pwdmodify/pwdmodify.run.out.12822
where bug834047_1: expect=0 actual=0
PASS

Hence marking bug as VERIFIED.
Comment 4 Amita Sharma 2014-01-08 13:23:07 UTC 
Automated  pwdmodify/pwdmodify-qa.sh bug834047_1
Comment 5 Ludek Smid 2014-06-13 10:02:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.