Red Hat Bugzilla – Bug 691446
Account policy plug-in affects the password policy attributes.
Last modified: 2011-04-25 19:27:32 EDT
Description of problem:
Password policy attributes like passwordmaxage fails to function when Account policy plug-in is configured.
Version-Release number of selected component (if applicable): 1.2.8
How reproducible: Consistently
Steps to Reproduce:
1. Set the Global password expiry "ON" and set PasswordMaxage to 30 secs.
2. Configure Global Account policy plug-in and set the AccountInactivityLimit to 60 secs.
3. User password failed to expire after 30 secs. User is able to successfully login.
4. Wait till the AccountInactivityLimit is reached(60 secs) - Account successfully inactivated.
Actual results: Account policy plug-in is suppressing the password policy attributes from working.
Expected results: Password policy and Account policy plug-in should work independently.
Additional Info: Password policy attributes work fine when Account policy is not configured.
I tried to reproduce this issue, and everything is working as designed.
I believe I know why it looked like it was not behaving correctly. When using password expiration, the expiration time is reset first time a user does a bind after a password change. The expiration time is updated by adding the passwordWarning period to the existing expiration time. By default, this is 1 day. This means that a password will not expire for 1 day and 30 seconds if you set a 30 second expiration period and you bind within 30 seconds of changing the password (unless you change the passwordWarning value). I believe that this was happening, which made it look like the Account Policy plug-in was overriding the password policy. The best way to do this test is to set passwordWarning to 0 in the password policy. This will ensure that the password expires after 30 seconds as expected.
Closing as NOTABUG.