Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well
RFE: allow fine grained password policy duration attributes in days, hours, m...
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.2.8
Unspecified Unspecified
medium Severity unspecified
: ---
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks: 639035 389_1.2.8 681611 689889
  Show dependency treegraph
 
Reported: 2011-02-28 14:46 EST by Noriko Hosoi
Modified: 2015-12-07 12:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 681611 689889 (view as bug list)
Environment:
Last Closed: 2015-12-07 12:11:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
git patch file (master) (4.31 KB, patch)
2011-02-28 17:22 EST, Noriko Hosoi
no flags Details | Diff
git patch file (master) (9.44 KB, patch)
2011-03-01 19:20 EST, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
git patch file (master) (1.09 KB, patch)
2011-03-21 19:49 EDT, Noriko Hosoi
nkinder: review+
Details | Diff

  None (edit)
Description Noriko Hosoi 2011-02-28 14:46:02 EST
Description of problem:
This bug fix allows global password policy duration attributes in the format of ##D|d, ##H|h, ##M|m, ##S|s.
Bug 627993 - RFE: allow global password policy duration attributes in days, hours, minutes, as well

On the other hand, the fine grained has no ability to handle such format.  Actually, there is no methods to check the invalid input to the fine grained password policy duration attributes.

$ ldapmodify ...
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol
 icyContainer,ou=People,dc=example,dc=com
changetype: modify
replace: passwordMaxAge
passwordMaxAge: abcdefg
$ echo $?
0
Comment 1 Noriko Hosoi 2011-02-28 17:22:47 EST
Created attachment 481460 [details]
git patch file (master)

Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s
format to the fine grained password policy duration attributes.

Note: when adding modifying password policy duration attributes, there is no way to verify the value.  If the value is invalid, it's found when the password is evaluated.  Without the attached patch, the password evaluation just fails without any error.  This patch logs the cause in the error log.

E.g.,

dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol
 icyContainer,ou=People,dc=example,dc=com
changetype: modify
replace: passwordMaxAge
passwordMaxAge: xyz
$ echo $?
0

$ ldapsearch -D 'uid=tuser0,ou=People,dc=example,dc=com' -w tuser0 -b "dc=example,dc=com" "(cn=*)"
ldapsearch: Password has expired.
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: password expired!

Error log (once the patch is applied):
[28/Feb/2011:14:15:08 -0800] - Password Policy Entrycn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com: Invalid passwordMaxAge: xyz
Comment 2 Noriko Hosoi 2011-03-01 19:20:13 EST
Created attachment 481753 [details]
git patch file (master)

Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s
format to the fine grained password policy duration attributes:
  passwordMinAge, passwordMaxAge, passwordWarning,
  passwordLockoutDuration
Valid value for these duraton parameters are
  . duration in seconds with no extension
  . duration in days, hours, minutes, and seconds with extesion
    D|d, H|h, M|m, and S|s, respectively.
The value should be less than MAX_ALLOWED_TIME_IN_SECS - current_time.
Comment 3 Rich Megginson 2011-03-02 10:02:38 EST
Comment on attachment 481753 [details]
git patch file (master)

https://bugzilla.redhat.com/attachment.cgi?id=481753&action=diff#a/ldap/servers/slapd/modify.c_sec1

this probably won't compile due to the extra comma at the end of the list

Other than that, looks good.
Comment 4 Noriko Hosoi 2011-03-02 13:06:44 EST
Thanks for finding it out, Rich!  Amazingly, this compiler let me compile it!
  gcc (GCC) 4.4.5 20101112 (Red Hat 4.4.5-2)

But obviously, the comma should not be there.  I removed the comma.

Pushed to master
commit 53839a8b27e92fd04f36401a95b54a2bc1168b88

as well as to 389-ds-base-1.2.8:
commit 3e70b878da60d21c07176108cb96648546176646
Comment 5 Amita Sharma 2011-03-21 10:13:20 EDT
passwordLockoutDuration attribute is not working with the fine grain password policy. So, I am moving the bug to ASSIGNED state.

Its not behaving as expected, if passwordLockoutDuration is set to "1m, 1M, 1d and 2h". This works fine when I set this value in seconds without prefixing it, like (60, 120 and 30).
Comment 6 Noriko Hosoi 2011-03-21 19:49:17 EDT
Created attachment 486705 [details]
git patch file (master)

Thanks to Amita for finding out this bug..

Description: passwordLockoutDuration attribute is not working 
with the fine grain password policy.  The code to parse the  
value of passwordLockoutDuration was missing.  This patch 
adds it.

With this fix, your test case passes 100%.
Comment 7 Noriko Hosoi 2011-03-22 14:04:59 EDT
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 681015
Updating 9d5d73c..6ada149
Fast-forward
 ldap/servers/slapd/pw.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 736 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   9d5d73c..6ada149  master -> master


commit 6ada149c42dbcce727662927129ae55832def5a0
Author: Noriko Hosoi <nhosoi@redhat.com>
Date:   Mon Mar 21 16:44:16 2011 -0700

    Bug 681015 - RFE: allow fine grained password policy duration attributes ...


Cherry picked commit 6ada149c42dbcce727662927129ae55832def5a0 and pushed to 389-ds-base-1.2.8, as well.

$ git cherry-pick 6ada149c42dbcce727662927129ae55832def5a0
Finished one cherry-pick.
[ds128-local df7c57c] Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well
 1 files changed, 1 insertions(+), 1 deletions(-)

$ git push origin ds128-local:389-ds-base-1.2.8
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 731 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   2ba240b..df7c57c  ds128-local -> 389-ds-base-1.2.8
Comment 8 Amita Sharma 2011-06-29 08:01:49 EDT
Password startup 	100% (1/1) 	  	 
password policy run 	100% (305/305)

I have automated this in password policy suit of tet.



Hence VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.