Description of problem: Currently there is no way to easily debug password policy issues. Trying to figure out which local policy rejected the password, or what syntax was actually violated is not possible. We should: 1. Improve the client message to be more precise (which also ends up in the access log) 2. Add a new error log level for password policy debugging. - Report on things like: - Which local policy is rejecting or allowing a password update - Information on the exact syntax violation
Upstream ticket: https://github.com/389ds/389-ds-base/issues/3061
Documentation only needs to update the error log levels: Error log logging level: 1048576 ---> this replaces the NUNC_STANS logging level
Automated test passed: ============================================= test session starts ============================================= platform linux -- Python 3.9.16, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3 cachedir: .pytest_cache 389-ds-base: 2.2.6-1.module+el9dsrv+17949+63c5b04e nss: 3.79.0-14.el9_0 nspr: 4.34.0-14.el9_0 openldap: 2.6.2-3.el9 cyrus-sasl: not installed FIPS: disabled rootdir: /root/ds/dirsrvtests, configfile: pytest.ini collected 1 item dirsrvtests/tests/suites/password/pwdPolicy_logging_test.py::test_debug_logging PASSED [100%] ======================================== 1 passed in 226.09s (0:03:46) ======================================== And I ran all password policy related tests with log level 1048576 enabled. There are some inconsistencies in the log messages, that might affect log parsing (i.e. for monitoring systems): 1. Mixed first letter case, see attached file 2. Double space before "Entry:" Account is locked and requires administrator reset. Entry (uid=dbyers,ou=people,dc=example,dc=com) Policy (Global) (also this message is a bit confusing, in the source right above it says: "Exceed password retry limit. Contact system administrator to reset.") password retry limit exceeded. Entry (uid=tuser,ou=people,dc=example,dc=com) Policy (Global) user is not allowed to change password. Entry (uid=dbyers,ou=People,dc=example,dc=com) Policy (Global) 3. Dot at the end of the message update pwdTPRUseCount=1 on entry (uid=jdoe1,ou=people,dc=example,dc=com) policy (Global). 4. Mixed separators before "Entry" (dot instead of colon) Account is locked and requires administrator reset. Entry (uid=dbyers,ou=people,dc=example,dc=com) Policy (Global) 5. Entry/Policy small case Unsuccessful bind, increase pwdTPRUseCount = 1 (max 3) - entry (uid=jdoe1,ou=People,dc=example,dc=com) policy (Global) 6. Function name in the message (not sure, maybe it should be there, but it's the only one I encountered) slapi_check_tpr_limits - attempt to bind with TPR password not yet valid (current=20230210133504Z, validity=20230210133514Z): Entry (uid=jdoe2,ou=people,dc=example,dc=com) Policy (Global) Moving to ASSIGNED.
Created attachment 1943356 [details] PWDPOLICY_DEBUG messages
Hi Mark, this bug is in MODIFIED, but I can't find any changes upstream. And I don't see them in the latest build. Shouldn't this bug be in the ASSIGNED state? Thanks.
Moving to ASSIGNED as it still needs to be addressed.
(In reply to Viktor Ashirov from comment #5) > Hi Mark, > > this bug is in MODIFIED, but I can't find any changes upstream. And I don't > see them in the latest build. > Shouldn't this bug be in the ASSIGNED state? > > Thanks. It's there: $ git checkout Directory_Server_12_2_0 Switched to branch 'Directory_Server_12_2_0' $ grep -r LDAP_DEBUG_PWDPOLICY * servers/slapd/log.c: LDAP_DEBUG_PWDPOLICY, /* SLAPI_LOG_PWDPOLICY */ servers/slapd/proto-slap.h:#define LDAP_DEBUG_PWDPOLICY 0x00100000 /* 1048576 */ Moving bug back to ON_QA
That's true, but I put bug to ASSIGNED in Comment #3 because of the inconsistencies in the log messages. Later you moved it to POST and I assumed these inconsistencies were fixed upstream. Branch Directory_Server_12_2_0 doesn't contain fixes for these inconsistencies: $ grep -r "reset. Entry" ./ldap/servers/slapd/pw.c: "Account is locked and requires administrator reset. Entry (%s) Policy (%s)\n", Do you want me to open a new bug for this?
Mark, could you please review the RN text in the DocText field? Thanks, Evgenia
RN was reviewed by Viktor, sending to a peer review
(In reply to Evgenia Martynyuk from comment #9) > Mark, could you please review the RN text in the DocText field? > > Thanks, > Evgenia Looks good
RN text passed peer review. Thank you, Masha!
Moving to VERIFIED. Issues mentioned in Comment 3 will be addressed in a separate bug.
Setting target to 12.3 to fix remaining issues...
I've opened https://bugzilla.redhat.com/show_bug.cgi?id=2209047 for the remaining issues. Let's move this back to VERIFIED as it has RN attached and is part of the erratum.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3344