1535515 – local password policies should use the same defaults as the global policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1535515 - local password policies should use the same defaults as the global policy

Summary: local password policies should use the same defaults as the global policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-17 14:43 UTC by mreynolds
Modified:	2020-09-13 22:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-base-1.3.7.5-15
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 14:23:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2429	0	None	None	None	2020-09-13 22:02:19 UTC
Red Hat Product Errata	RHBA-2018:0811	0	None	None	None	2018-04-10 14:24:44 UTC

Description mreynolds 2018-01-17 14:43:17 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49370

#### Issue Description

When we create a local password policy we do not use any defaults like what we do with the global policy.  They should be consistent.

Comment 2 mreynolds 2018-01-17 14:49:33 UTC

The "on/off" defaults were not applied to local policies.

Comment 10 Akshay Adhikari 2018-02-15 11:33:28 UTC

============================================================================ test session starts ============================================================================
platform linux2 -- Python 2.7.5, pytest-3.4.0, py-1.5.2, pluggy-0.6.0 -- /usr/bin/python
cachedir: .pytest_cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-845.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'py': '1.5.2', 'pytest': '3.4.0', 'pluggy': '0.6.0'}, 'Plugins': {'html': '1.16.1', 'metadata': '1.5.1'}}
389-ds-base: 1.3.7.5-18.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-13.el7
svrcore: 4.1.3-2.el7
 
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.1, html-1.16.1
collected 35 items                                                                                                                                                          
 
regression_test.py::test_pwp_local_unlock OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'server-id': 'standalone1', 'ldap-port': 38901, 'ldap-secureport': 63601, 'suffix': 'dc=example,dc=com'} was created.
INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on
INFO:dirsrvtests.tests.suites.password.regression_test:Configure subtree password policy for ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Adding user-uid=UIDpwtest1,ou=people,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Verify user can bind...
INFO:dirsrvtests.tests.suites.password.regression_test:Test passwordUnlock default - user should be able to reset password after lockout
INFO:dirsrvtests.tests.suites.password.regression_test:Verify account is locked
INFO:dirsrvtests.tests.suites.password.regression_test:Wait for lockout duration...
INFO:dirsrvtests.tests.suites.password.regression_test:Check if user can now bind with correct password
PASSED
regression_test.py::test_trivial_passw_check[UIDpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
PASSED
regression_test.py::test_trivial_passw_check[MAILpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
PASSED
regression_test.py::test_trivial_passw_check[GNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[SNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[ZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
PASSED
regression_test.py::test_trivial_passw_check[ZCNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
PASSED
regression_test.py::test_trivial_passw_check[ZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZCNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
PASSED
regression_test.py::test_trivial_passw_check[CNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZCNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
PASSED
regression_test.py::test_trivial_passw_check[ZZZZZZCNpwtest1ZZZZZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
PASSED
regression_test.py::test_global_vs_local[UIDpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with UIDpwtest1
PASSED
regression_test.py::test_global_vs_local[MAILpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with MAILpwtest1
PASSED
regression_test.py::test_global_vs_local[GNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with GNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1
PASSED
regression_test.py::test_global_vs_local[SNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with SNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[ZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1Z
PASSED
regression_test.py::test_global_vs_local[ZCNpwtest1Z] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZCNpwtest1Z
PASSED
regression_test.py::test_global_vs_local[ZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZ
PASSED
regression_test.py::test_global_vs_local[ZZCNpwtest1ZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZCNpwtest1ZZ
PASSED
regression_test.py::test_global_vs_local[ZZZCNpwtest1] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1
PASSED
regression_test.py::test_global_vs_local[CNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with CNpwtest1ZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZCNpwtest1ZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZCNpwtest1ZZZ
PASSED
regression_test.py::test_global_vs_local[ZZZZZZCNpwtest1ZZZZZZZZ] INFO:dirsrvtests.tests.suites.password.regression_test:Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to off
INFO:dirsrvtests.tests.suites.password.regression_test:Replace userPassword attribute with ZZZZZZCNpwtest1ZZZZZZZZ
PASSEDINFO:dirsrvtests.tests.suites.password.regression_test:Deleting user-uid=UIDpwtest1,ou=People,dc=example,dc=com
INFO:dirsrvtests.tests.suites.password.regression_test:Reset pwpolicy configuration settings
Instance slapd-standalone1 removed.
 
 
======================================================================== 35 passed in 19.68 seconds =========================================================================

Comment 13 errata-xmlrpc 2018-04-10 14:23:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811

Note You need to log in before you can comment on or make changes to this bug.