Red Hat Bugzilla – Bug 691446
Account policy plug-in affects the password policy attributes.
Last modified: 2011-04-25 19:27:32 EDT
Description of problem: Password policy attributes like passwordmaxage fails to function when Account policy plug-in is configured. Version-Release number of selected component (if applicable): 1.2.8 How reproducible: Consistently Steps to Reproduce: 1. Set the Global password expiry "ON" and set PasswordMaxage to 30 secs. 2. Configure Global Account policy plug-in and set the AccountInactivityLimit to 60 secs. 3. User password failed to expire after 30 secs. User is able to successfully login. 4. Wait till the AccountInactivityLimit is reached(60 secs) - Account successfully inactivated. Actual results: Account policy plug-in is suppressing the password policy attributes from working. Expected results: Password policy and Account policy plug-in should work independently. Additional Info: Password policy attributes work fine when Account policy is not configured.
I tried to reproduce this issue, and everything is working as designed. I believe I know why it looked like it was not behaving correctly. When using password expiration, the expiration time is reset first time a user does a bind after a password change. The expiration time is updated by adding the passwordWarning period to the existing expiration time. By default, this is 1 day. This means that a password will not expire for 1 day and 30 seconds if you set a 30 second expiration period and you bind within 30 seconds of changing the password (unless you change the passwordWarning value). I believe that this was happening, which made it look like the Account Policy plug-in was overriding the password policy. The best way to do this test is to set passwordWarning to 0 in the password policy. This will ensure that the password expires after 30 seconds as expected. Closing as NOTABUG.