567968 – subtree/user level password policy created using 389-ds-console doesn't work.

Bug 567968 - subtree/user level password policy created using 389-ds-console doesn't work.

Summary: subtree/user level password policy created using 389-ds-console doesn't work.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Directory Console
Sub Component:
Version:	1.2.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	434914
TreeView+	depends on / blocked

Reported:	2010-02-24 13:44 UTC by Matteo Sessa
Modified:	2015-12-07 16:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-07 16:34:40 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch to 389-ds-console (3.21 KB, patch) 2010-02-24 13:44 UTC, Matteo Sessa	no flags	Details \| Diff
View All

Description Matteo Sessa 2010-02-24 13:44:36 UTC

Created attachment 396063 [details]
Proposed patch to 389-ds-console

Description of problem:
389-ds-console ( 389-ds-1.2.jar ) still use double quotes to wrap target DN when creating fine grained password policies.

GUI Procedure create nsPwPolicy_CoS,nsPwPolicyContainer and PwPolicyEntry correctly but then fail silently during nsPwTemplateEntry creation.

Password policy structure require nsPwTemplateEntry to reference PwPolicyEntry's DN into pwdpolicysubentry attribute, but, double quotes escaping is not accepted by 1.3.6.1.4.1.1466.115.121.1.12 (DN) syntax, enforced on pwdpolicysubentry attribute.

If I set nsslapd-syntaxcheck:off on cn=config password policy GUI create nsPwTemplateEntry correctly and policies work fine.

Attached is a patch for 389-ds-console to change the way entries CNs are written, it now works accordingly to ns-newpwpolicy.pl syntax thus quoting commas on CN. example:

before patch:
cn="cn=nsPwPolicyEntry,ou=test,o=example.com",cn=nsPwPolicyContainer,ou=test,o=example.com

after patch:
cn=cn=nsPwPolicyEntry\,ou=test\,o=example.com,cn=nsPwPolicyContainer,ou=test,o=example.com

Version-Release number of selected component (if applicable):

389-ds-base-1.2.5-1.el5
389-ds-console-1.2.0-5.el5


Steps to Reproduce:
Ensure nsslapd-syntaxcheck is set to "on", enable fine-grained password policies on Data, create a subtree policy, check if nsPwTemplateEntry is  correctly created.


Actual results:
nsPwTemplateEntry is not present

Expected results:
nsPwTemplateEntry is present and has pwdpolicysubentry attribute referencing PwPolicyEntry.

Additional info:
This issue is indirectly referenced by Bug 504817

Comment 2 Noriko Hosoi 2010-04-27 21:50:00 UTC

Fixed with this change:
  commit 78c50664d6421cc5d0836bb03820680dc2cb7acf
  Author: Noriko Hosoi <nhosoi>
  Date:   Mon Apr 26 11:03:52 2010 -0700
    Update to New DN Format

Comment 3 Jenny Severance 2010-05-17 14:33:08 UTC

verified - RHEL 4

version: 

redhat-ds-base-8.2.0-2010051204.el4dsrv
redhat-ds-console-8.2.0-2.el4dsrv

ldapsearch -x -h hostname.company.com -p 389 -D "cn=Directory Manager" -w Secret -b "cn=config" | grep syntaxcheck
nsslapd-syntaxcheck: on

Successfully created global, subtree and user password policies from console.

Note You need to log in before you can comment on or make changes to this bug.