Red Hat Bugzilla – Bug 190862
[RFE] Default password syntax settings don't work with fine-grained policies
Last modified: 2016-11-03 16:33:41 EDT
When using a global password policy for syntax checking, there are some default settings that will be used (such as a minimum length of 8) if the config attributes don't exist in cn=config. This doesn't seem to work with the fine-grained policies. Here are some steps to reproduce the problem: 1. - Enable global syntax checking, setting the minLength to 6. 2. - Enable fine-grained password policies. 3. - Create a subtree-level policy on "ou=People", enabling syntax checking with the default values (minLength will be displayed as 8 in Console). 4. - Attempt to change a password of a user outside of "ou=People" with a password of 5 characters long. This should be rejected with an err=19. 5. - Try step 4 again, but with a password length of 6 characters. This should work. 6. - Try step 4 again, but with a user inside of "ou=People". This should fail with an err=19, but it will succeed! To work around the problem, you can add the password syntax attributes to the fine-grained policy entry explicitly. This can be done via the Console UI by setting each of the syntax settings to a non-default value, saving it, then setting them to what you want (even if you want the defaults) and saving again.
Once this is documented, we either need to move this bug to DS9.0 and FDS1.3.0 or close this and open a new bug. This falls under the category of "expose password policy to plug-ins"
Added a section to the admin guide and release notes: * http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#manually-setting-defaults * http://www.redhat.com/docs/manuals/dir-server/8.1/rel-notes/Release_Notes-Bugs_Addressed-Known_Issues.html
Closing.
I'm not certain I should have closed this bug; I think I should have reassigned it to engineering. Reopening.
*** Bug 553736 has been marked as a duplicate of this bug. ***
Upstream ticket: https://fedorahosted.org/389/ticket/142
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Note: doc bug 1333946
============================= test session starts ============================= platform linux2 -- Python 2.7.5, pytest-3.0.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python cachedir: .cache DS build: 1.3.5.10 B2016.245.1935 389-ds-base: 1.3.5.10-10.el7 nss: 3.21.0-17.el7 nspr: 4.11.0-1.el7_2 openldap: 2.4.40-13.el7 svrcore: 4.1.2-1.el7 rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile: plugins: beakerlib-0.6, html-1.10.0, cov-2.3.1 collected 5 items dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-off] PASSED dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[on-off] PASSED dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_no_restrictions[off-on] PASSED dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions[cn=config] PASSED dirsrvtests/tests/suites/password/pwdPolicy_inherit_global_test.py::test_entry_has_restrictions[cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",cn=nsPwPolicyContainer,ou=People,dc=example,dc=com] PASSED ========================== 5 passed in 28.57 seconds ========================== Marking as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html