This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 553736 - Local password policy should intelligently set default password storage scheme
Local password policy should intelligently set default password storage scheme
Status: CLOSED DUPLICATE of bug 190862
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.2.1
All Linux
medium Severity low
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
: 554419 (view as bug list)
Depends On:
Blocks: 434915
  Show dependency treegraph
 
Reported: 2010-01-08 14:15 EST by Chris St. Pierre
Modified: 2015-01-04 18:41 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-27 11:31:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris St. Pierre 2010-01-08 14:15:40 EST
If a new local password policy is created without a passwordStorageScheme attribute, then the password history will not work.  It seems, intuitively, like either the global storage scheme or the default storage scheme should apply to the local policy, rather than requiring a scheme to be explicitly set.  Or, failing that, ns-newpwpolicy.pl should probably create a default passwordStorageScheme
attribute.

Some comments from bug #553455:

--- Comment #5 from Nathan Kinder <nkinder@redhat.com>  2010-01-08 13:34:20 EDT ---
(In reply to comment #4)
> It seems, intuitively, like either the global storage scheme or the default
> storage scheme should apply to the local policy.  If not, then
> ns-newpwpolicy.pl should probably create a default passwordStorageScheme
> attribute.

I tend to agree, though I am concerned about changing the behavior.  We could
make the storage scheme of the local policy inherit from the global policy if
it is not set locally, but this would have the effect of changing the result of
user's existing policies after an upgrade.  It is probably unlikely that
someone is depending on the current behaviour to enforce clear passwords
without explicitly specifying the storage scheme, but we have no way of knowing
for sure.

The ns-newpwpolicy.pl script could also be easily modified to add a default
storage scheme, but we don't add any other policy values.  Perhaps the proper
thing is to make the default storage scheme for a local policy SSHA when the
"passwordStorageScheme" value is not set.  This is in line with the way the
global policy works.

--- Comment #6 from Rich Megginson <rmeggins@redhat.com>  2010-01-08 13:43:31 EDT ---
This has been a problem from day one - everyone intuitively expects the local
password policy to inherit from the global password policy for fields that are
not specified at the local level.  I seriously doubt someone is relying on the
existing behavior, fully understanding how it is supposed to work.  But that is
a separate issue - an enhancement request.  I think it could be made to work by
changing new_passwdPolicy to simply copy the settings from the global policy
when creating the local policy object.
Comment 2 Jenny Galipeau 2010-01-19 12:34:10 EST
*** Bug 554419 has been marked as a duplicate of this bug. ***
Comment 3 Rich Megginson 2010-09-27 11:31:46 EDT

*** This bug has been marked as a duplicate of bug 190862 ***

Note You need to log in before you can comment on or make changes to this bug.