Bug 190862 - [RFE] Default password syntax settings don't work with fine-grained policies
[RFE] Default password syntax settings don't work with fine-grained policies
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
All Linux
low Severity medium
: rc
: 7.3
Assigned To: Noriko Hosoi
Viktor Ashirov
: FutureFeature, Reopened
: 553736 (view as bug list)
Depends On:
Blocks: 1333946 389_1.3.0 512820 690319
  Show dependency treegraph
Reported: 2006-05-05 15:27 EDT by Nathan Kinder
Modified: 2016-05-06 14:30 EDT (History)
6 users (show)

See Also:
Fixed In Version: 389-ds-base-
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1333946 (view as bug list)
Last Closed: 2009-05-01 18:33:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2006-05-05 15:27:21 EDT
When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config.  This doesn't seem to work with the
fine-grained policies.

Here are some steps to reproduce the problem:

 1. - Enable global syntax checking, setting the minLength to 6.
 2. - Enable fine-grained password policies.
 3. - Create a subtree-level policy on "ou=People", enabling syntax checking
      with the default values (minLength will be displayed as 8 in Console).
 4. - Attempt to change a password of a user outside of "ou=People" with a
      password of 5 characters long.  This should be rejected with an err=19.
 5. - Try step 4 again, but with a password length of 6 characters.  This
      should work.
 6. - Try step 4 again, but with a user inside of "ou=People".  This should
      fail with an err=19, but it will succeed!

To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly.  This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.
Comment 2 Rich Megginson 2009-04-09 12:54:20 EDT
Once this is documented, we either need to move this bug to DS9.0 and FDS1.3.0 or close this and open a new bug.  This falls under the category of "expose password policy to plug-ins"
Comment 4 Deon Ballard 2009-05-01 18:33:28 EDT
Comment 5 Deon Ballard 2010-04-15 11:18:19 EDT
I'm not certain I should have closed this bug; I think I should have reassigned it to engineering.

Comment 6 Rich Megginson 2010-09-27 11:31:46 EDT
*** Bug 553736 has been marked as a duplicate of this bug. ***
Comment 9 Martin Kosek 2012-01-04 08:48:51 EST
Upstream ticket:
Comment 12 Mike McCune 2016-03-28 19:11:51 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 14 Noriko Hosoi 2016-05-06 14:30:26 EDT
Note: doc bug 1333946

Note You need to log in before you can comment on or make changes to this bug.