Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/48813 When an admin resets a password the current password is not stored in the password history. This incorrectly allows the user to reuse the previous password after the reset.
*** Bug 1332725 has been marked as a duplicate of this bug. ***
RHEL Version RHEL 7.3 x86_64 Server DS Version 389-ds-base-1.3.5.3-1.el7.x86_64 389-ds-base-libs-1.3.5.3-1.el7.x86_64 Steps performed to verify 1. Created a standalone DS instance 2. Configured a global password policy as follows [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: cn=config changetype: modify replace: passwordChange passwordChange: on - replace: passwordHistory passwordHistory: on - replace: passwordInHistory passwordInHistory: 4 - replace: passwordStorageScheme passwordStorageScheme: CLEAR modifying entry "cn=config" 3. Verified that the attributes are properly set [root@dell-per630-fc-04 ~]# ldapsearch -xLLL -b 'cn=config' -h localhost -p 389 -D 'cn=Directory Manager' -w secret123 -s base passwordChange passwordHistory passwordInHistory passwordStorageScheme dn: cn=config passwordChange: on passwordHistory: on passwordInHistory: 4 passwordStorageScheme: CLEAR 4. Added a user entry as below [root@dell-per630-fc-04 ~]# ldapadd -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: inetorgperson uid: tuser cn: test user sn: user userpassword: secret123 adding new entry "uid=tuser,ou=people,dc=example,dc=com" 5. Modified user's password as Directory Manager as below [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw1 modifying entry "uid=tuser,ou=people,dc=example,dc=com" [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw2 modifying entry "uid=tuser,ou=people,dc=example,dc=com" [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw3 modifying entry "uid=tuser,ou=people,dc=example,dc=com" [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'cn=Directory Manager' -w secret123 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw4 modifying entry "uid=tuser,ou=people,dc=example,dc=com" since the passwordInHistory attribute to a value of 4, I've changed the user's password 4 times 6. Tried binding to the server with old password to ensure that the password has been changed [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secret123 -h localhost -p 389 ldap_bind: Invalid credentials (49) as can be seen above, the bind fails with an invalid credentials error, this proves that the password has been changed successfully 7. Tried using the passwords again all 4 password again [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secretpw4 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw1 modifying entry "uid=tuser,ou=people,dc=example,dc=com" ldap_modify: Constraint violation (19) additional info: password in history [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secretpw4 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw2 modifying entry "uid=tuser,ou=people,dc=example,dc=com" ldap_modify: Constraint violation (19) additional info: password in history [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secretpw4 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw3 modifying entry "uid=tuser,ou=people,dc=example,dc=com" ldap_modify: Constraint violation (19) additional info: password in history [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secretpw4 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secretpw4 modifying entry "uid=tuser,ou=people,dc=example,dc=com" ldap_modify: Constraint violation (19) additional info: password in history as can be seen above, all 4 passwords are rejected as all of them are stored in history 8. Tried using a different password [root@dell-per630-fc-04 ~]# ldapmodify -x -D 'uid=tuser,ou=people,dc=example,dc=com' -w secretpw4 -h localhost -p 389 dn: uid=tuser,ou=people,dc=example,dc=com changetype: modify replace: userpassword userpassword: secret1234 modifying entry "uid=tuser,ou=people,dc=example,dc=com" as can be seen above, this password is accepted and saved since it is different
Would it be possible to backport this fix to RHEL6?
(In reply to Arpit Tolani from comment #4) > Would it be possible to backport this fix to RHEL6? I'm happy to tell you this bug fix is already in the next 6.8.z release. https://bugzilla.redhat.com/show_bug.cgi?id=1342614 Bug report changed to ON_QA status by Errata System. A QE request has been submitted for advisory RHBA-2016:23784-01 https://errata.devel.redhat.com/advisory/23784
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html