Bug 1253406 - wrong password check if passwordInHistory is decreased.
wrong password check if passwordInHistory is decreased.
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
Petr Bokoc
Depends On:
  Show dependency treegraph
Reported: 2015-08-13 12:15 EDT by German Parente
Modified: 2016-05-10 15:20 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
When a password history is enabled and the number of the passwords to remember was decreased, the oldest password should be allowed to reuse. But there was a logic error and the password was still forbidden. The bug was fixed.
Story Points: ---
Clone Of:
Last Closed: 2016-05-10 15:20:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description German Parente 2015-08-13 12:15:00 EDT
Description of problem:

this bug is a clone of 1246389 to request backport to version.

Version-Release number of selected component (if applicable):

Let's have passwordInHistory = N and a user with its N passwords in history.
We decrease passwordInHistory to a value smaller than N.

If a user changes its password to the oldest value in its history (of N values), it's forbidden but it should be allowed. 

How reproducible: always

Steps to Reproduce:

 1) configure password history feature with, for instance:

passwordInHistory: 4
passwordHistory: on

2) add a new user

[root@rh6 ~]# ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:

    ldapsearch -xLLL -p 2389 -h localhost -D "cn=directory manager" -w secret12 -b "uid=user50,ou=people,o=redhat" passwordHistory

dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.

ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password using the original password:

ldapmodify -p 2389 -h localhost -D "uid=user50,ou=people,o=redhat" -w user50_4
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: user50

modifying entry "uid=user50,ou=people,o=redhat"
ldap_modify: Constraint violation (19)

    additional info: password in history

Actual results:

password replaced by a password which should not be in history is not allowed.

Expected results:

It should be allowed.

Additional info:

in function update_pw_history

    if ( i >= pwpolicy->pw_inhistory ) {

        /* replace the oldest password in history */

instead of just replacing the oldest value, we could keep the N newest values (N == passwordInHistory) and replace the oldest in this group. As the same time the new passwordHistory of user entry will keep the right numbers of values.

Workaround: trim the values as cn=directory manager
Comment 3 Simon Pichugin 2016-03-22 07:50:04 EDT
Build tested:

:: [  BEGIN   ] :: Running py.test :: actually running 'py.test -v  tickets/ticket48228_test.py'
========================== test session starts ==========================
platform linux2 -- Python 2.6.6, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: tickets/.cache
rootdir: /export/tests/tickets, inifile:
collected 3 items

tickets/ticket48228_test.py::test_ticket48228_test_global_policy PASSED
tickets/ticket48228_test.py::test_ticket48228_test_subtree_policy PASSED
tickets/ticket48228_test.py::test_ticket48228_final PASSED

========================== 3 passed in 43.68 seconds ==========================
:: [   PASS   ] :: Running py.test (Expected 0, got 0)

Marking as verified.
Comment 5 errata-xmlrpc 2016-05-10 15:20:38 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.