When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config. This doesn't seem to work with the
Here are some steps to reproduce the problem:
1. - Enable global syntax checking, setting the minLength to 6.
2. - Enable fine-grained password policies.
3. - Create a subtree-level policy on "ou=People", enabling syntax checking
with the default values (minLength will be displayed as 8 in Console).
4. - Attempt to change a password of a user outside of "ou=People" with a
password of 5 characters long. This should be rejected with an err=19.
5. - Try step 4 again, but with a password length of 6 characters. This
6. - Try step 4 again, but with a user inside of "ou=People". This should
fail with an err=19, but it will succeed!
To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly. This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.
Once this is documented, we either need to move this bug to DS9.0 and FDS1.3.0 or close this and open a new bug. This falls under the category of "expose password policy to plug-ins"
Added a section to the admin guide and release notes:
I'm not certain I should have closed this bug; I think I should have reassigned it to engineering.
*** Bug 553736 has been marked as a duplicate of this bug. ***
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Note: doc bug 1333946
============================= test session starts =============================
platform linux2 -- Python 2.7.5, pytest-3.0.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
DS build: 220.127.116.11 B2016.245.1935
rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: beakerlib-0.6, html-1.10.0, cov-2.3.1
collected 5 items
========================== 5 passed in 28.57 seconds ==========================
Marking as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.