Bug 553736 - Local password policy should intelligently set default password storage scheme
Summary: Local password policy should intelligently set default password storage scheme
Keywords:
Status: CLOSED DUPLICATE of bug 190862
Alias: None
Product: 389
Classification: Retired
Component: Security - Password Policy
Version: 1.2.1
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 554419 (view as bug list)
Depends On:
Blocks: 434915
TreeView+ depends on / blocked
 
Reported: 2010-01-08 19:15 UTC by Chris St. Pierre
Modified: 2015-01-04 23:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-27 15:31:46 UTC


Attachments (Terms of Use)

Description Chris St. Pierre 2010-01-08 19:15:40 UTC
If a new local password policy is created without a passwordStorageScheme attribute, then the password history will not work.  It seems, intuitively, like either the global storage scheme or the default storage scheme should apply to the local policy, rather than requiring a scheme to be explicitly set.  Or, failing that, ns-newpwpolicy.pl should probably create a default passwordStorageScheme
attribute.

Some comments from bug #553455:

--- Comment #5 from Nathan Kinder <nkinder@redhat.com>  2010-01-08 13:34:20 EDT ---
(In reply to comment #4)
> It seems, intuitively, like either the global storage scheme or the default
> storage scheme should apply to the local policy.  If not, then
> ns-newpwpolicy.pl should probably create a default passwordStorageScheme
> attribute.

I tend to agree, though I am concerned about changing the behavior.  We could
make the storage scheme of the local policy inherit from the global policy if
it is not set locally, but this would have the effect of changing the result of
user's existing policies after an upgrade.  It is probably unlikely that
someone is depending on the current behaviour to enforce clear passwords
without explicitly specifying the storage scheme, but we have no way of knowing
for sure.

The ns-newpwpolicy.pl script could also be easily modified to add a default
storage scheme, but we don't add any other policy values.  Perhaps the proper
thing is to make the default storage scheme for a local policy SSHA when the
"passwordStorageScheme" value is not set.  This is in line with the way the
global policy works.

--- Comment #6 from Rich Megginson <rmeggins@redhat.com>  2010-01-08 13:43:31 EDT ---
This has been a problem from day one - everyone intuitively expects the local
password policy to inherit from the global password policy for fields that are
not specified at the local level.  I seriously doubt someone is relying on the
existing behavior, fully understanding how it is supposed to work.  But that is
a separate issue - an enhancement request.  I think it could be made to work by
changing new_passwdPolicy to simply copy the settings from the global policy
when creating the local policy object.

Comment 2 Jenny Severance 2010-01-19 17:34:10 UTC
*** Bug 554419 has been marked as a duplicate of this bug. ***

Comment 3 Rich Megginson 2010-09-27 15:31:46 UTC

*** This bug has been marked as a duplicate of bug 190862 ***


Note You need to log in before you can comment on or make changes to this bug.