Red Hat Bugzilla – Bug 190862
[RFE] Default password syntax settings don't work with fine-grained policies
Last modified: 2016-05-06 14:30:26 EDT
When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config. This doesn't seem to work with the
Here are some steps to reproduce the problem:
1. - Enable global syntax checking, setting the minLength to 6.
2. - Enable fine-grained password policies.
3. - Create a subtree-level policy on "ou=People", enabling syntax checking
with the default values (minLength will be displayed as 8 in Console).
4. - Attempt to change a password of a user outside of "ou=People" with a
password of 5 characters long. This should be rejected with an err=19.
5. - Try step 4 again, but with a password length of 6 characters. This
6. - Try step 4 again, but with a user inside of "ou=People". This should
fail with an err=19, but it will succeed!
To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly. This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.
Once this is documented, we either need to move this bug to DS9.0 and FDS1.3.0 or close this and open a new bug. This falls under the category of "expose password policy to plug-ins"
Added a section to the admin guide and release notes:
I'm not certain I should have closed this bug; I think I should have reassigned it to engineering.
*** Bug 553736 has been marked as a duplicate of this bug. ***
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see email@example.com with any questions
Note: doc bug 1333946