RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1342585 - Wrong number passwords in passwordHistory
Summary: Wrong number passwords in passwordHistory
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-03 15:16 UTC by Simon Pichugin
Modified: 2020-09-13 21:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 20:16:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2093 0 None None None 2020-09-13 21:53:17 UTC

Description Simon Pichugin 2016-06-03 15:16:24 UTC 
Description of problem:
If we decrease passwordInHistory attribute (for instance, from 4 to 3) while user entry already has some passwordHistory values (four), we will still have four values even after changing password one more time.

It applied for Directory Manager only. So he can break passwordInHistory rule, he even can change password to value that is not in passwordHistory.


Build tested:
389-ds-base-1.3.5.4-1.el7.x86_64


How reproducible:
Always


Steps to Reproduce:
1) configure password history feature with, for instance:
passwordInHistory: 4
passwordHistory: on

2) add a new user
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b "uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password one more time to value that is not in passwordHistory:
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: anotherpass

7) verify passwordHistory has the three values

Actual results:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b "uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075352Zuser50_4
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2

Expected results:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b "uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075352Zuser50_4
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1

Additional info:
Also, on the step 6, Directory Manager can change password that is in passwordHistory.

But changing passwords while binding as regular user works as expected.
Comment 2 Noriko Hosoi 2016-06-09 00:54:28 UTC 
More I investigate, less sure I am...  It is confusing, but it may be acceptable, as is?

For instance, if updated by a directory manager, even if the password in the history, you can keep setting the same password.  But considering it is done by a directory manager, it sounds ok to me.

See this passwordhistory.  (Please note that the passwordInHistory value has been changed from 4 to 3.)

$ ldapsearch [...] -D 'cn=directory manager' -W -b "uid=t0user1,ou=people,dc=example,dc=com" passwordhistory
dn: uid=t0user1,ou=People,dc=example,dc=com
passwordhistory: 20160609003748Zt0user1_5
passwordhistory: 20160609003805Zt0user1_5
passwordhistory: 20160609003812Zt0user1_5
passwordhistory: 20160609003820Zt0user1_5

Now, let the user change the password to one in the history.  Then it fails as expected.
# ldapmodify [...] -D "uid=t0user1,ou=people,dc=example,dc=com" -w t0user1_5 << EOF
dn: uid=t0user1,ou=People,dc=example,dc=com
changetype: modify
replace: userpassword
userpassword: t0user1_5
EOF

modifying entry "uid=t0user1,ou=People,dc=example,dc=com"
ldap_modify: Constraint violation (19)
	additional info: password in history

Check the history again.  It shows 3 previous passwords.
$ ldapsearch [...] -D 'cn=directory manager' -W -b "uid=t0user1,ou=people,dc=example,dc=com" passwordhistory
dn: uid=t0user1,ou=People,dc=example,dc=com
passwordhistory: 20160609003805Zt0user1_5
passwordhistory: 20160609003812Zt0user1_5
passwordhistory: 20160609003820Zt0user1_5

The important things are ...
1) the password set by a directory manager is now placed in the history which cannot be reused by the user him/herself.  (See [1])
2) the length of the history is applied to the user.

[1] Ticket 48813 - password history is not updated when an admin resets the password

I'm leaning toward to close this as WONTFIX...
Comment 3 Simon Pichugin 2016-06-09 08:42:50 UTC 
Hi Noriko,
I think I've got your point and I fully agree with it.
If we talking about Directory Manager ability to set any password (even those that is already in the PasswordHistory), then it sounds absolutely fair.

My main concern is another thing.
We have strange behavior at numbers of passwordInHistory regarding Directory Manager.

There is situation.
- For regular user:
  1. set passwordInHistory = 8
  2. change password 10 times
  3. user entry contain 8 values at PasswordHistory attribute
  4. set passwordInHistory = 5
  5. change password
  6. user entry contain 5 values at PasswordHistory attribute

- For Directory Manager:
  1. set passwordInHistory = 8
  2. change password 10 times
  3. user entry contain 8 values at PasswordHistory attribute
  4. set passwordInHistory = 5
  5. change password
  6. user entry contain 8 values at PasswordHistory attribute

  But:
  1. set passwordInHistory = 8
  2. change password 10 times
  3. user entry contain 8 values at PasswordHistory attribute
  4. set passwordInHistory = 15
  5. change password more times
  6. user entry contain 15 values at PasswordHistory attribute

In my opinion, passwordInHistory should be applied for everyone equally.
For now, Directory Manager uses the largest number of passwordInHistory values (previous or current).
Comment 4 Noriko Hosoi 2016-06-09 16:30:26 UTC 
Thank you for your input, Simon.

We discussed in the weekly meeting and decided to push to 7.4.

Let's continue the discussion! ;)
Comment 5 Simon Pichugin 2016-06-09 16:56:31 UTC 
Thank you, Noriko. :)

To sum up my position.
In my view, current situation wouldn't be so obvious for our customers.

For example, a few guys administrating a server.
First guy has come and set the passwordInHistory to 8.
Second has come and set it to 5.
So now we don't have any information that says that it is still equals 8 for Directory Manager.
And if some third admin would come and change password for some user one more time, he will see 8 passwordHistory at the entry, when passwordInHistory == 5 at config.
It, for sure, will confuse him and result an unnecessary mess.

As a way to resolve this, we can ether:
- document this situation like a feature;
- or make passwordInHistory to behave equally for everyone.
Comment 6 Noriko Hosoi 2016-11-04 18:38:47 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/49034
Comment 7 Simon Pichugin 2016-11-04 18:55:03 UTC 
I've checked the steps ones again and the bug is still reproducible.

Build tested:
389-ds-base-1.3.6.1-20161104gitc984499.fc24.x86_64
Comment 8 mreynolds 2017-03-06 17:03:12 UTC 
I've opened a doc bug for this already:

https://bugzilla.redhat.com/show_bug.cgi?id=1427533
   
The server is working as expected, and does not require a change.  Can this be closed?
Comment 9 Noriko Hosoi 2017-03-06 17:08:07 UTC 
(In reply to mreynolds from comment #8)
> I've opened a doc bug for this already:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1427533
>    
> The server is working as expected, and does not require a change.  Can this
> be closed?

+1

Note: the upstream ticket 49034 is also already closed with Invalid.

Thanks, Mark!
Note You need to log in before you can comment on or make changes to this bug.