Description of problem: Some values set in the password policy is stored in seconds while other password policies is stored in days. All values is entered as days in the GUI and having this difference makes for some level of confusion and a source of problems when doing scripting with ldif files. Version-Release number of selected component (if applicable): 1.2.6rc7 How reproducible: Every time Steps to Reproduce: 1.Enable audit log 2.Change some values in password policy 3. Actual results: dn: cn=config changetype: modify replace: passwordMaxAge passwordMaxAge: 17280000 - replace: passwordWarning passwordWarning: 9590400 - replace: passwordGraceLimit passwordGraceLimit: 112 Expected results: dn: cn=config changetype: modify replace: passwordMaxAge passwordMaxAge: 200 - replace: passwordWarning passwordWarning: 111 - replace: passwordGraceLimit passwordGraceLimit: 112 Additional info:
The same goes for password retry settings: changetype: modify replace: passwordLockout passwordLockout: on - replace: passwordMaxFailure passwordMaxFailure: 5 - replace: passwordLockoutDuration passwordLockoutDuration: 1800 - replace: passwordResetFailureCount passwordResetFailureCount: 660
(In reply to comment #0) > Description of problem: > Some values set in the password policy is stored in seconds while other > password policies is stored in days. Actually, there are no inconsistencies there. The first 2: passwordMaxAge and passwordWarning are in seconds. And the 3-rd: passwordGraceLimit is a number of grace logins. FYI: passwordGraceLimit This attribute indicates the number of grace logins permitted when a user's password is expired. When set to a positive number, the user will be allowed to bind with the expired password for that many times. For the global password policy, the attribute is defined under cn=config. By default, this attribute is set to 0, which means grace logins are not permitted. You can find the description here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes In the comment 1 (https://bugzilla.redhat.com/show_bug.cgi?id=627993#c1) The value of passwordMaxFailure and passwordResetFailureCount is number/count. The value of passwordLockoutDuration is in seconds. All the values which represent the time duration are in seconds.
Created attachment 474376 [details] git patch file (master) The attached patch allows passwordLockoutDuration, passwordResetFailureCount, passwordMaxAge, passwordMinAge, passwordWarning to have <days>D|d, <hours>H|h, <min>M|m, and <sec>S|s in addition to the current representation <sec> in seconds. For instance, this is allowed instead of 3600: passwordLockoutDuration: 1H or this for 8640000: passwordMaxAge: 100d
Thanks to Rich for reviewing the patch. Pushed to master. $ git merge 627993 Updating f1899ba..5727b88 Fast-forward ldap/servers/slapd/libglobs.c | 50 +++++++-------------- ldap/servers/slapd/slapi-private.h | 6 +-- ldap/servers/slapd/time.c | 85 +++++++++++++++++++++++++++++++++++- 3 files changed, 102 insertions(+), 39 deletions(-) $ git push Counting objects: 15, done. Delta compression using up to 2 threads. Compressing objects: 100% (8/8), done. Writing objects: 100% (8/8), 1.77 KiB, done. Total 8 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git f1899ba..5727b88 master -> master
Note: search returns the duration values in seconds even if the value is in days in the config file. We should change the behavior once the Console is adjusted to the new representation. # grep passwordMaxAge /etc/dirsrv/slapd-ID/dse.ldif passwordMaxAge: 100D ldapsearch ... -b "cn=config" -s base "(cn=*)" passwordMaxAge dn: cn=config passwordMaxAge: 8640000
That is really awesome, thanks for working on this. The solution is better than I had wished for. One clarification: * ldapsearch will still return values in seconds pending an update to the console, where after it will return values as it was set. Eg 100d. Best Regards
Thank you for your bug report! It gave us this chance to revisit the representation. Please continue sharing your thoughts with us.
Additional fix: Commit made in 5727b8899700f574026bc9be5a1990c4c66619cf introduced a bug. The commit removed 2 functions format_genTime and parse_genTime from slapi-private.h. But they are used in plugins, which requires them in the header file. This fix restores the function declarations. $ git merge work Updating 5727b88..68bc0a4 Fast-forward ldap/servers/slapd/slapi-private.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) $ git push Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 753 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5727b88..68bc0a4 master -> master
Related bug: Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well https://bugzilla.redhat.com/show_bug.cgi?id=681015
Password startup 100% (1/1) password policy run 100% (305/305) I have automated this in password policy suit of tet. Hence VERIFIED.