Description of problem: This bug fix allows global password policy duration attributes in the format of ##D|d, ##H|h, ##M|m, ##S|s. Bug 627993 - RFE: allow global password policy duration attributes in days, hours, minutes, as well On the other hand, the fine grained has no ability to handle such format. Actually, there is no methods to check the invalid input to the fine grained password policy duration attributes. $ ldapmodify ... dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol icyContainer,ou=People,dc=example,dc=com changetype: modify replace: passwordMaxAge passwordMaxAge: abcdefg $ echo $? 0
Created attachment 481460 [details] git patch file (master) Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s format to the fine grained password policy duration attributes. Note: when adding modifying password policy duration attributes, there is no way to verify the value. If the value is invalid, it's found when the password is evaluated. Without the attached patch, the password evaluation just fails without any error. This patch logs the cause in the error log. E.g., dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol icyContainer,ou=People,dc=example,dc=com changetype: modify replace: passwordMaxAge passwordMaxAge: xyz $ echo $? 0 $ ldapsearch -D 'uid=tuser0,ou=People,dc=example,dc=com' -w tuser0 -b "dc=example,dc=com" "(cn=*)" ldapsearch: Password has expired. ldap_simple_bind: Invalid credentials ldap_simple_bind: additional info: password expired! Error log (once the patch is applied): [28/Feb/2011:14:15:08 -0800] - Password Policy Entrycn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com: Invalid passwordMaxAge: xyz
Created attachment 481753 [details] git patch file (master) Description: Adding an ability to handle ##D|d, ##H|h, ##M|m, ##S|s format to the fine grained password policy duration attributes: passwordMinAge, passwordMaxAge, passwordWarning, passwordLockoutDuration Valid value for these duraton parameters are . duration in seconds with no extension . duration in days, hours, minutes, and seconds with extesion D|d, H|h, M|m, and S|s, respectively. The value should be less than MAX_ALLOWED_TIME_IN_SECS - current_time.
Comment on attachment 481753 [details] git patch file (master) https://bugzilla.redhat.com/attachment.cgi?id=481753&action=diff#a/ldap/servers/slapd/modify.c_sec1 this probably won't compile due to the extra comma at the end of the list Other than that, looks good.
Thanks for finding it out, Rich! Amazingly, this compiler let me compile it! gcc (GCC) 4.4.5 20101112 (Red Hat 4.4.5-2) But obviously, the comma should not be there. I removed the comma. Pushed to master commit 53839a8b27e92fd04f36401a95b54a2bc1168b88 as well as to 389-ds-base-1.2.8: commit 3e70b878da60d21c07176108cb96648546176646
passwordLockoutDuration attribute is not working with the fine grain password policy. So, I am moving the bug to ASSIGNED state. Its not behaving as expected, if passwordLockoutDuration is set to "1m, 1M, 1d and 2h". This works fine when I set this value in seconds without prefixing it, like (60, 120 and 30).
Created attachment 486705 [details] git patch file (master) Thanks to Amita for finding out this bug.. Description: passwordLockoutDuration attribute is not working with the fine grain password policy. The code to parse the value of passwordLockoutDuration was missing. This patch adds it. With this fix, your test case passes 100%.
Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge 681015 Updating 9d5d73c..6ada149 Fast-forward ldap/servers/slapd/pw.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) $ git push Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 736 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 9d5d73c..6ada149 master -> master commit 6ada149c42dbcce727662927129ae55832def5a0 Author: Noriko Hosoi <nhosoi> Date: Mon Mar 21 16:44:16 2011 -0700 Bug 681015 - RFE: allow fine grained password policy duration attributes ... Cherry picked commit 6ada149c42dbcce727662927129ae55832def5a0 and pushed to 389-ds-base-1.2.8, as well. $ git cherry-pick 6ada149c42dbcce727662927129ae55832def5a0 Finished one cherry-pick. [ds128-local df7c57c] Bug 681015 - RFE: allow fine grained password policy duration attributes in days, hours, minutes, as well 1 files changed, 1 insertions(+), 1 deletions(-) $ git push origin ds128-local:389-ds-base-1.2.8 Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 731 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 2ba240b..df7c57c ds128-local -> 389-ds-base-1.2.8
Password startup 100% (1/1) password policy run 100% (305/305) I have automated this in password policy suit of tet. Hence VERIFIED.