Bug 741636 - Overlay ppolicy MinAge and MaxAge options don't work
Summary: Overlay ppolicy MinAge and MaxAge options don't work
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-27 13:31 UTC by David Spurek
Modified: 2015-03-02 05:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-29 08:38:00 UTC
Target Upstream Version:


Attachments (Terms of Use)
Slapd configuration file for slaptest (1.22 KB, application/octet-stream)
2011-09-27 13:31 UTC, David Spurek
no flags Details
data.ldif (1.54 KB, application/octet-stream)
2011-09-27 13:32 UTC, David Spurek
no flags Details

Description David Spurek 2011-09-27 13:31:08 UTC
Created attachment 525132 [details]
Slapd configuration file for slaptest

Description of problem:
I think it is a regression, because the test cases works fine on RHEL 6.1.

Version-Release number of selected component (if applicable):
openldap-servers-2.4.23-19.el6

How reproducible:
always

Steps to Reproduce:
1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
(slapd.conf is in attachement)

2.slapadd -l data.ldif
(data.ldif is in attachement)

3.Test MinAge:
- Change the password.

echo "dn: uid=ldap1,ou=People,$DN" >  mod.ldif
echo "changetype: modify"          >> mod.ldif
echo "replace: userPassword"       >> mod.ldif
echo "userPassword: 12345678"       >> mod.ldif
rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 123456 -x -f mod.ldif" 0
rm -f mod.ldif

- MinAge should apply.
	
echo "dn: uid=ldap1,ou=People,$DN" >  mod.ldif
echo "changetype: modify"          >> mod.ldif
echo "replace: userPassword"       >> mod.ldif
echo "userPassword: 1234567"       >> mod.ldif
rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 12345678 -x -f mod.ldif" 19
rm -f mod.ldif	
	
- MinAge should not apply.
sleep 6	
echo "dn: uid=ldap1,ou=People,$DN" >  mod.ldif
echo "changetype: modify"          >> mod.ldif
echo "replace: userPassword"       >> mod.ldif
echo "userPassword: 1234567"       >> mod.ldif
rlRun "ldapmodify -D uid=ldap1,ou=People,$DN -w 12345678 -x -f mod.ldif" 0
rm -f mod.ldif

4. Test MaxAge:
	# Password should be still valid.
	sleep 6	
	rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0

	# Password should be expired, but graceLimit allows 1.	
	sleep 6
	rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0

	# Password should be expired, but graceLimit allows 2.	
	sleep 6
	rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 0

	# Password should be expired and gracelimit expired 3.
	sleep 6
	rlRun "ldapsearch -b $DN -D uid=ldap1,ou=People,$DN -w 1234567 -x" 49
  
Actual results:
FAIL in test cases MinAge should apply, MinAge should not apply and Password should be expired, but graceLimit allows 2.

Expected results:
Failing three test cases works fine (as on RHEL 6.1)

Comment 1 David Spurek 2011-09-27 13:32:16 UTC
Created attachment 525133 [details]
data.ldif

Comment 2 Jan Vcelak 2011-09-27 23:16:07 UTC
I'm unable to reproduce on openldap-servers-2.4.23-19.el6 (the same version).

The configuration is unaltered (except for olcRootPW). I created reproducer.sh to run all the commands. Multiple runs, always the same result:

# ./reproduce.sh 
+ DN=dc=my-domain,dc=com
+ echo == PREP ==
== PREP ==
+ ldapmodify -D cn=Manager,dc=my-domain,dc=com -w password -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"

+ echo 0
0
+ sleep 6
+ echo '== MIN AGE =='
== MIN AGE ==
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 123456 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"

+ echo 0
0
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 12345678 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"
ldap_modify: Constraint violation (19)
        additional info: Password is too young to change

+ echo 19
19
+ sleep 6
+ ldapmodify -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 12345678 -x
modifying entry "uid=ldap1,ou=People,dc=my-domain,dc=com"

+ echo 0
0
+ echo '== MAX AGE =='
== MAX AGE ==
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
+ echo 0
0
+ sleep 6
+ ldapsearch -b dc=my-domain,dc=com -D uid=ldap1,ou=People,dc=my-domain,dc=com -w 1234567 -x
ldap_bind: Invalid credentials (49)
+ echo 49
49


Please, can you recheck?

Comment 3 David Spurek 2011-09-29 05:31:07 UTC
I recheck this. I am sorry to you, but it isn't problem with openldap. The problem is with beaker, sometimes happened one or two seconds delay between run the commands, then this time addict test fails.


Note You need to log in before you can comment on or make changes to this bug.