Red Hat Bugzilla – Bug 627993
RFE: allow global password policy duration attributes in days, hours, minutes, as well
Last modified: 2015-12-07 12:16:26 EST
Description of problem:
Some values set in the password policy is stored in seconds while other password policies is stored in days. All values is entered as days in the GUI and having this difference makes for some level of confusion and a source of problems when doing scripting with ldif files.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Enable audit log
2.Change some values in password policy
The same goes for password retry settings:
(In reply to comment #0)
> Description of problem:
> Some values set in the password policy is stored in seconds while other
> password policies is stored in days.
Actually, there are no inconsistencies there. The first 2: passwordMaxAge and
passwordWarning are in seconds. And the 3-rd: passwordGraceLimit is a number of grace logins.
passwordGraceLimit This attribute indicates the number of grace logins permitted when a user's password is expired. When set to a positive number, the user will be allowed to bind with the expired password for that many times. For the global password policy, the attribute is defined under cn=config. By default, this attribute is set to 0, which means grace logins are not permitted.
You can find the description here:
In the comment 1 (https://bugzilla.redhat.com/show_bug.cgi?id=627993#c1)
The value of passwordMaxFailure and passwordResetFailureCount is number/count. The value of passwordLockoutDuration is in seconds.
All the values which represent the time duration are in seconds.
Created attachment 474376 [details]
git patch file (master)
The attached patch allows passwordLockoutDuration, passwordResetFailureCount, passwordMaxAge, passwordMinAge, passwordWarning to have <days>D|d, <hours>H|h, <min>M|m, and <sec>S|s in addition to the current representation <sec> in seconds.
For instance, this is allowed instead of 3600:
or this for 8640000:
Thanks to Rich for reviewing the patch.
Pushed to master.
$ git merge 627993
ldap/servers/slapd/libglobs.c | 50 +++++++--------------
ldap/servers/slapd/slapi-private.h | 6 +--
ldap/servers/slapd/time.c | 85 +++++++++++++++++++++++++++++++++++-
3 files changed, 102 insertions(+), 39 deletions(-)
$ git push
Counting objects: 15, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 1.77 KiB, done.
Total 8 (delta 6), reused 0 (delta 0)
f1899ba..5727b88 master -> master
Note: search returns the duration values in seconds even if the value is in days in the config file. We should change the behavior once the Console is adjusted to the new representation.
# grep passwordMaxAge /etc/dirsrv/slapd-ID/dse.ldif
ldapsearch ... -b "cn=config" -s base "(cn=*)" passwordMaxAge
That is really awesome, thanks for working on this. The solution is better than I had wished for.
* ldapsearch will still return values in seconds pending an update to the console, where after it will return values as it was set. Eg 100d.
Thank you for your bug report! It gave us this chance to revisit the representation. Please continue sharing your thoughts with us.
Commit made in 5727b8899700f574026bc9be5a1990c4c66619cf introduced
a bug. The commit removed 2 functions format_genTime and
parse_genTime from slapi-private.h. But they are used in plugins,
which requires them in the header file. This fix restores the
$ git merge work
ldap/servers/slapd/slapi-private.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 753 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
5727b88..68bc0a4 master -> master
Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well
Password startup 100% (1/1)
password policy run 100% (305/305)
I have automated this in password policy suit of tet.