Bug 1775285 - RFE - Implement the Password Policy attribute "pwdReset".
Summary: RFE - Implement the Password Policy attribute "pwdReset".
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: RHDS QE
Marc Muehlfeld
Depends On:
Blocks: 1825061
TreeView+ depends on / blocked
Reported: 2019-11-21 16:44 UTC by Têko Mihinto
Modified: 2020-11-04 03:08 UTC (History)
11 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Enhancement
Doc Text:
.Directory Server now supports the `pwdReset` operation attribute This enhancement adds support for the `pwdReset` operation attribute to Directory Server. When an administrator changes the password of a user, Directory Server sets `pwdReset` in the user's entry to `true`. As a result, applications can use this attribute to identify if a password of a user has been reset by an administrator. Note that `pwdReset` is an operational attribute and, therefore, users cannot edit it.
Clone Of:
Last Closed: 2020-11-04 03:07:24 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 3965 0 None closed RFE - Implement the Password Policy attribute "pwdReset". 2021-01-27 11:51:54 UTC
Red Hat Knowledge Base (Solution) 5250581 0 None None None 2020-07-27 16:20:01 UTC
Red Hat Product Errata RHEA-2020:4695 0 None None None 2020-11-04 03:07:38 UTC

Description Têko Mihinto 2019-11-21 16:44:35 UTC
Description of problem:

Most of the LDAP vendors have implemented the pwdReset attribute.
Some customers are relying on this attribute to detect if a password must be changed by the user.

Version-Release number of selected component (if applicable):
RHDS 10.

How reproducible:

Steps to Reproduce:
Requesting the attribute pwdReset returns no result.

Actual results:
pwdReset is not present in RHDS 10.
# grep -i pwdReset /usr/share/dirsrv/schema/*

Expected results:
Implement the attribute "pwdReset" from RFC draft-behera-ldap-password-policy

Additional info:

Comment 4 mreynolds 2019-11-21 17:27:50 UTC
FYI, there is a way to do this now by checking passwordExpirationtime for the EPOCH data (its something like 19700000000001).  This is how the server knows if a password was reset by an Admin.  

Anyway, adding the new attribute should be easy to add to the current password policy, but I don't think we can add any more RFE's to RHEL 7, only in RHEL 8.

Comment 5 François Cami 2019-11-25 12:30:28 UTC
Hi Têko, could you please confirm with the customer that they have no short-term interest in IDM? If that's the case this bug can stay as RHDS only otherwise we'll have to clone to IDM (if we need additional support for pwReset in IPA itself).

Comment 6 Têko Mihinto 2019-11-25 13:22:35 UTC
Hi François,

I'm checking with the customer.
I'll update the bug as soon he replies back.


Comment 8 Amy Farley 2019-12-11 19:59:10 UTC
Moving this to RHEL 8 as it cannot be added to RHEL 7 due to lifecycle phase.

Comment 9 mreynolds 2020-02-25 20:41:43 UTC
Upstream ticket:

Comment 10 mreynolds 2020-02-27 14:18:40 UTC
Fixed upstream

Comment 15 Akshay Adhikari 2020-06-08 13:27:34 UTC
There is a new bug filed around this RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1845094

Comment 16 Akshay Adhikari 2020-06-08 13:29:15 UTC
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.8, pytest-5.4.3, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-211.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.9.0', 'html': '2.1.1'}}
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-11.el8
cyrus-sasl: not installed
FIPS: disabled
rootdir: /workspace/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.9.0, html-2.1.1
collected 1 item                                                                                                                                                            

dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py::test_pwd_reset PASSED                                                                                  [100%]

====================================================================== 1 passed, 2 warnings in 10.72s =======================================================================

Marking as VERIFIED.

Comment 20 errata-xmlrpc 2020-11-04 03:07:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.