Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2069618

Summary: Password modify extended operation should skip password policy checks when executed by root DN
Product: Red Hat Directory Server Reporter: Anton Bobrov <abobrov>
Component: 389-ds-baseAssignee: LDAP Maintainers <idm-ds-dev-bugs>
Status: CLOSED MIGRATED QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact: Evgenia Martynyuk <emartyny>
Priority: high    
Version: 12.2CC: idm-ds-dev-bugs, mreynolds, pasik, tbordaz
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-26 13:47:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anton Bobrov 2022-03-29 09:20:56 UTC 
Description of problem:

When the LDAP password policy extended operation is executed by root DN on a regular user under constraints of a password policy, eg password history, it should skip password policy checks because the root DN should be allowed to set a regular user password to any value however this is currently not the case.

The root DN user can still modify userPassword attribute directly via regular modify operation, which can be used as workaround of sorts however it does not play nice with various password policy flags/op attributes ie it can be done but requires more effort and essentially negates password policy extended operation functionality.

Steps to Reproduce:

1. Have a password policy in place with a specific constraint eg password history.
2. Use ldappasswd tool, bind as root DN, attempt to change user's password to one that is already in history (violate password policy constraints).

Actual results:

Result: Constraint violation (19)
Additional info: Failed to update password

Expected results:

The root DN should be able to violate password policy constraints and change user password regardless.

Additional info:

It should probably apply to a password administrator user as well if one is defined for password policy configuration.
Comment 1 mreynolds 2022-03-29 16:54:39 UTC 
DS already ignores password policy when the bind DN is root DN, but perhaps with ldappassword it's using proxied auth and the "user" DN is being evaluated by password policy instead of the root DN.  That might be hard to address, but it needs more investigation by DS team...
Comment 3 Viktor Ashirov 2024-06-26 13:47:28 UTC 
This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-38. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.