Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1639192

Summary: Request to add passwordSendExpiringTime in password policy objectclass
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.5CC: aadhikar, cpelland, lkrispen, nkinder, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rc   
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-6.el7 Doc Type: Bug Fix
Doc Text:
Cause: A new password policy setting was not added to the schema. Consequence: It is not possible to set that new password policy setting. Fix: Add the new attribute to the existing passwordPolicy objectclass in the server's schema. Result: Password policy is fully functional.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:58:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2018-10-15 09:18:02 UTC 
Description of problem:

it seems this has been already commit'd upstream here:

https://pagure.io/389-ds-base/pull-request/49876#request_diff

If we want to create a subtree password policy, as passwordSendExpiringTime is not in the objectclass, we cannot set it.

The diff shows it has been commit upstream but not yet in RHEL7:

- objectClasses: ( 2.16.840.1.113730.3.2.13 NAME 'passwordPolicy' DESC 'Netscape defined password policy objectclass' SUP top MAY ( passwordMaxAge $ passwordExp $ passwordMinLength $ passwordKeepHistory $ passwordInHistory $ passwordChange $ passwordWarning $ passwordLockout $ passwordMaxFailure $ passwordResetDuration $ passwordUnlock $ passwordLockoutDuration $ passwordCheckSyntax $ passwordMustChange $ passwordStorageScheme $ passwordMinAge $ passwordResetFailureCount $ passwordGraceLimit $ passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength $ passwordTrackUpdateTime $ passwordAdminDN ) X-ORIGIN 'Netscape Directory Server' )

	

+ objectClasses: ( 2.16.840.1.113730.3.2.13 NAME 'passwordPolicy' DESC 'Netscape defined password policy objectclass' SUP top MAY ( passwordMaxAge $ passwordExp $ passwordMinLength $ passwordKeepHistory $ passwordInHistory $ passwordChange $ passwordWarning $ passwordLockout $ passwordMaxFailure $ passwordResetDuration $ passwordUnlock $ passwordLockoutDuration $ passwordCheckSyntax $ passwordMustChange $ passwordStorageScheme $ passwordMinAge $ passwordResetFailureCount $ passwordGraceLimit $ passwordMinDigits $ passwordMinAlphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwordMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLength $ passwordTrackUpdateTime $ passwordAdminDN $ passwordDictCheck $ passwordDictPath $ passwordPalindrome $ passwordMaxSequence $ passwordMaxClassChars $ passwordMaxSeqSets $ passwordBadWords $ passwordUserAttributes $ passwordSendExpiringTime ) X-ORIGIN 'Netscape Directory Server' )

Version-Release number of selected component (if applicable): rhel-7.5
Comment 3 Akshay Adhikari 2019-05-08 11:14:45 UTC 
The fix is not backported. Changes could not be seen in /usr/share/dirsrv/schema/02common.ldif file. Also, there isn't any comment on the upstream ticket regarding it, hence marking it as FAILED_QA.
Comment 4 mreynolds 2019-05-10 14:43:59 UTC 
PR 49876 was for a UI update for RHEL 8.  I need to do something different here, but it's not a problem.  Working on it....
Comment 5 Akshay Adhikari 2019-05-15 10:46:46 UTC 
Build Tested: 389-ds-base-1.3.9.1-6.el7.x86_64

Steps:

1) Create a subtree password policy by running the ns-newpwpolicy.pl script.

ns-newpwpolicy.pl -Z web9 -D 'cn=directory manager' -w password -P LDAP -S 'ou=people,dc=example,dc=com'

2) Set passwordSendExpiringTime on a subtree password policy if the policy is created by nw-newpwpolicy.pl.

ldapmodify -x -p 389 -h `hostname` -D "cn=Directory Manager" -w password << EOF
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
changetype: modify
replace: passwordSendExpiringTime
passwordSendExpiringTime: on
EOF
modifying entry "cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

Marking it as VERIFIED.
Comment 7 errata-xmlrpc 2019-08-06 12:58:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152