Bug 627993 - RFE: allow global password policy duration attributes in days, hours, minutes, as well
RFE: allow global password policy duration attributes in days, hours, minutes...
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.2.6
All All
medium Severity low
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 639035
  Show dependency treegraph
 
Reported: 2010-08-27 11:47 EDT by Gerhardus Geldenhuis
Modified: 2015-12-07 12:16 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:16:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
git patch file (master) (9.21 KB, patch)
2011-01-19 20:19 EST, Noriko Hosoi
no flags Details | Diff

  None (edit)
Description Gerhardus Geldenhuis 2010-08-27 11:47:59 EDT
Description of problem:
Some values set in the password policy is stored in seconds while other password policies is stored in days. All values is entered as days in the GUI and having this difference makes for some level of confusion and a source of problems when doing scripting with ldif files.


Version-Release number of selected component (if applicable):
1.2.6rc7

How reproducible:
Every time

Steps to Reproduce:
1.Enable audit log
2.Change some values in password policy
3.
  
Actual results:

dn: cn=config
changetype: modify
replace: passwordMaxAge
passwordMaxAge: 17280000
-
replace: passwordWarning
passwordWarning: 9590400
-
replace: passwordGraceLimit
passwordGraceLimit: 112


Expected results:

dn: cn=config
changetype: modify
replace: passwordMaxAge
passwordMaxAge: 200
-
replace: passwordWarning
passwordWarning: 111
-
replace: passwordGraceLimit
passwordGraceLimit: 112



Additional info:
Comment 1 Gerhardus Geldenhuis 2010-08-27 12:23:32 EDT
The same goes for password retry settings:

changetype: modify
replace: passwordLockout
passwordLockout: on
-
replace: passwordMaxFailure
passwordMaxFailure: 5
-
replace: passwordLockoutDuration
passwordLockoutDuration: 1800
-
replace: passwordResetFailureCount
passwordResetFailureCount: 660
Comment 5 Noriko Hosoi 2011-01-19 18:39:38 EST
(In reply to comment #0)
> Description of problem:
> Some values set in the password policy is stored in seconds while other
> password policies is stored in days. 
 
Actually, there are no inconsistencies there.  The first 2: passwordMaxAge and 
passwordWarning are in seconds.  And the 3-rd: passwordGraceLimit is a number of grace logins.

FYI:
passwordGraceLimit 	This attribute indicates the number of grace logins permitted when a user's password is expired. When set to a positive number, the user will be allowed to bind with the expired password for that many times. For the global password policy, the attribute is defined under cn=config. By default, this attribute is set to 0, which means grace logins are not permitted.

You can find the description here:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes

In the comment 1 (https://bugzilla.redhat.com/show_bug.cgi?id=627993#c1)
The value of passwordMaxFailure and passwordResetFailureCount is number/count.  The value of passwordLockoutDuration is in seconds.

All the values which represent the time duration are in seconds.
Comment 6 Noriko Hosoi 2011-01-19 20:19:40 EST
Created attachment 474376 [details]
git patch file (master)

The attached patch allows passwordLockoutDuration, passwordResetFailureCount, passwordMaxAge, passwordMinAge, passwordWarning to have <days>D|d, <hours>H|h, <min>M|m, and <sec>S|s in addition to the current representation <sec> in seconds.

For instance, this is allowed instead of 3600:
passwordLockoutDuration: 1H
or this for 8640000:
passwordMaxAge: 100d
Comment 7 Noriko Hosoi 2011-01-19 20:24:33 EST
Thanks to Rich for reviewing the patch.

Pushed to master.

$ git merge 627993
Updating f1899ba..5727b88
Fast-forward
 ldap/servers/slapd/libglobs.c      |   50 +++++++--------------
 ldap/servers/slapd/slapi-private.h |    6 +--
 ldap/servers/slapd/time.c          |   85 +++++++++++++++++++++++++++++++++++-
 3 files changed, 102 insertions(+), 39 deletions(-)

$ git push
Counting objects: 15, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.77 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   f1899ba..5727b88  master -> master
Comment 8 Noriko Hosoi 2011-01-20 02:10:34 EST
Note: search returns the duration values in seconds even if the value is in days in the config file.  We should change the behavior once the Console is adjusted to the new representation.

# grep passwordMaxAge /etc/dirsrv/slapd-ID/dse.ldif
passwordMaxAge: 100D

ldapsearch ... -b "cn=config" -s base "(cn=*)" passwordMaxAge
dn: cn=config
passwordMaxAge: 8640000
Comment 9 Gerhardus Geldenhuis 2011-01-20 04:22:04 EST
That is really awesome, thanks for working on this. The solution is better than I had wished for. 

One clarification:
* ldapsearch will still return values in seconds pending an update to the console, where after it will return values as it was set. Eg 100d.

Best Regards
Comment 10 Noriko Hosoi 2011-01-20 13:31:38 EST
Thank you for your bug report!  It gave us this chance to revisit the representation.  Please continue sharing your thoughts with us.
Comment 11 Noriko Hosoi 2011-01-20 13:31:56 EST
Additional fix:

    Commit made in 5727b8899700f574026bc9be5a1990c4c66619cf introduced
    a bug.  The commit removed 2 functions format_genTime and
    parse_genTime from slapi-private.h.  But they are used in plugins,
    which requires them in the header file.  This fix restores the
    function declarations.

$ git merge work
Updating 5727b88..68bc0a4
Fast-forward
 ldap/servers/slapd/slapi-private.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 753 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   5727b88..68bc0a4  master -> master
Comment 12 Noriko Hosoi 2011-02-28 17:24:10 EST
Related bug:
Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well
https://bugzilla.redhat.com/show_bug.cgi?id=681015
Comment 13 Amita Sharma 2011-06-29 08:02:00 EDT
Password startup 	100% (1/1) 	  	 
password policy run 	100% (305/305)

I have automated this in password policy suit of tet.



Hence VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.