Hide Forgot
+++ This bug was initially created as a clone of Bug #732153 +++ Description of problem: Unless I am missing something, it seem not possible to add a subtree or user account lockout policies in 8.2, is it supposed to be an implemented feature, or I am missing some steps? Not documented in http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_the_Password_Policy-Configuring_the_Account_Lockout_Policy.html But the directory console allows a right click context menu selection to manage subtree or user, so it seem to be available, (was it working in 8.0?) When using the directory console, when editing a subtree or user level account lockout policy, the save button stays grey, or if there are some change to the passwords policy, then it is possible to click on the Save button, but a popup error window appears with message "Operation not allowed on RDN", with access log: [19/Aug/2011:22:45:25 -0700] conn=10 op=96 MOD dn="cn=cn\5c3DnsPwPolicyEntry\5c2Cou\5c3Dpeople\5c2Cdc\5c3Dexample\5c2Cdc\5c3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" [19/Aug/2011:22:45:25 -0700] conn=10 op=96 RESULT err=67 tag=103 nentries=0 etime=0 The QE tests at http://mach1.idm.lab.bos.redhat.com/tet/testcases/DS/6.0/accPolicy/libs_accPolicy.sh http://mach1.idm.lab.bos.redhat.com/tet/data/DS/6.0/accPolicy/ and http://mach1.idm.lab.bos.redhat.com/tet/testcases/DS/6.0/testplans/accPolicy/AccntPolicy_TestPlan.html seem to run global policy, no account lockout on subtree or user level fine grained policies. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 5.7 (Tikanga) Linux ca1.example.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux redhat-ds-base-8.2.6-1.el5dsrv How reproducible: always Steps to Reproduce: 1. already have a global password policy, can have subtree and user level password policies 2. use either cli or directory console 3. with directory console, "Directory | example | people | right click | Manage Password policy | For subtree... | Account Lockout | check Accounts may be locked out | Lockout account after 10 login failures | Reset failure account after 10 minutes" -> cannot save, button stays grey 4. select Passwords tab, change something, go back to "Account Lockout" tab, click Save Actual results: after step 3: cannot save, button stays grey after step 4: popup window with title "Error Updating Directory" with message "Operation not allowed on RDN - OK" Expected results: subtree and user fine grained level for account lockout in nsPwPolicyContainer not just global in cn=config? Additional info: ==> /var/log/dirsrv/slapd-ca1/access <== [19/Aug/2011:22:45:25 -0700] conn=10 op=96 MOD dn="cn=cn\5c3DnsPwPolicyEntry\5c2Cou\5c3Dpeople\5c2Cdc\5c3Dexample\5c2Cdc\5c3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" [19/Aug/2011:22:45:25 -0700] conn=10 op=96 RESULT err=67 tag=103 nentries=0 etime=0 From an older test and notes I seem to have it working with 8.0, may have been cli only, not sure if the console was used: # entry-id: 26 dn: cn="cn=nsPwPolicyEntry,ou=People,dc=mstest2",cn=nsPwPolicyContainer,dc=mst est2 passwordMaxFailure: 2 passwordUnlock: on passwordResetFailureCount: 60 passwordLockoutDuration: 120 passwordLockout: on passwordStorageScheme: ssha passwordChange: off passwordMinAge: 0 passwordHistory: off passwordExp: off passwordMustChange: off modifyTimestamp: 20090825221850Z createTimestamp: 20090825221850Z modifiersName: cn=directory manager creatorsName: cn=directory manager cn: "cn=nsPwPolicyEntry,ou=People,dc=mstest2" objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top nsUniqueId: 2a2ef982-91c511de-ab1fbc42-a01af143 with 8.1 and 8.2, global account lockout configured: ldapmodify -x -D "cn=directory manager" -w password -h 10.14.5.22 -p 389 dn: cn="cn=nsPwPolicyEntry,uid=guest2,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com changetype: modify add: passwordMaxFailure passwordMaxFailure: 2 - add: passwordUnlock passwordUnlock: on - add: passwordResetFailureCount passwordResetFailureCount: 60 - add: passwordLockoutDuration passwordLockoutDuration: 120 - add: passwordLockout passwordLockout: on modifying entry "cn="cn=nsPwPolicyEntry,uid=guest2,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com" ldap_modify: Operation not allowed on RDN (67) same for cn="cn=nsPwPolicyEntry,ou=people,dc=example,dc=com",cn=nsPwPolicyContainer,ou=people,dc=example,dc=com [...] --- Additional comment from rmeggins on 2011-08-23 18:38:38 EDT --- This is an 8.1 to 8.2 upgrade issue. The problem is that with 8.1 (or earlier) the cn value was added with quotes, but that does not match the DN value which does not have double quotes: dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol icyContainer,ou=people,dc=example,dc=com ... cn: "cn=nsPwPolicyEntry,ou=people,dc=example,dc=com" The code in ldbm_back_modify attempts to see if a modify op has removed the RDN value. It looks for a value of cn: cn=nsPwPolicyEntry,ou=people,dc=example,dc=com in the entry and doesn't find it because the value is actually double quoted in the entry. The workaround is to use ldapmodify to add the value without quotes to the entry: ldapmodify .... << EOF dn: cn=cn\3DnsPwPolicyEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPol icyContainer,ou=people,dc=example,dc=com changetype: modify add: cn cn: cn=nsPwPolicyEntry,ou=people,dc=example,dc=com EOF --- Additional comment from msauton on 2011-08-25 19:07:16 EDT --- the simple workaround works as expected. --- Additional comment from nhosoi on 2011-08-25 21:37:43 EDT --- Created attachment 520000 [details] git patch file (master) Description: Upgradedbformat utility converts old dn format to new one. It's called at the in-place upgrade time. The utility failed to check if the normalized RDN value is in the entry's attribute list. This patch properly checks it. If the value does not exist, it adds the normalized value to the entry. --- Additional comment from rmeggins on 2011-08-29 14:54:54 EDT --- Comment on attachment 520000 [details] git patch file (master) This seems quite complex - is there some reason you can't just use slapi_entry_add_rdn_values or extend/alter that function to suit your needs? --- Additional comment from nhosoi on 2011-08-29 19:15:54 EDT --- Created attachment 520483 [details] git patch file (master) Thanks to Rich for his comments. By using the API slapi_entry_add_rdn_values, the patch could get simplified.
For the steps to verify, see the upstream bug: 732153.
As clone https://bugzilla.redhat.com/show_bug.cgi?id=732153 is Verified, marking this as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2011-1711.html