Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 744074 - [ipa webui] global password policy should not be able to be deleted
[ipa webui] global password policy should not be able to be deleted
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks: 748554
  Show dependency treegraph
 
Reported: 2011-10-06 18:04 EDT by Yi Zhang
Modified: 2011-12-06 13:42 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Web UI allows user to delete a global Password Policy Consequence: If the policy is deleted, any attempt to add a user with Kerberos password will fail. Neither CLI nor Web UI could be used to add the policy back. Fix: Forbid deleting global Password Policy in IPA server Result: An error is reported when user tries to remove global Password Policy both in Web UI and CLI
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 13:42:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-05 20:23:31 EST

  None (edit)
Description Yi Zhang 2011-10-06 18:04:37 EDT 
Description of problem:
User with admin rights can delete global password policy from webui.


Version-Release number of selected component (if applicable): 2.1.1 (Sept 21 build day)


How reproducible: always


Steps to Reproduce:
1. install ipa server 
2. kinit as "admin" and bring up firefox, go to https://<ipaserver>
3. go to: "Policy" tab -> Password Policy sub menu -> select "Global Password" -> click "delete" to delete it
  
Actual results:
global password policy being deleted

Expected results:
global password can not be deleted even by admin

Additional info:
1. after global password policy being deleted, there is no way to add such policy since current WebUI does not offer "global" as a choice in "Add Password Policy" dialog

2. after the global password policy being deleted, cli: "ipa pwpolicy-show" will report error: password policy not found

3. after the global password policy being deleted, newly created user can not get kerberos ticket with initial password. IPA reports: user not found.

4. I didn't try this in latest build, I will post my test result once I updated my testing environment.
Comment 2 Dmitri Pal 2011-10-06 23:46:06 EDT 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1936
Comment 6 Martin Kosek 2011-10-31 16:23:38 EDT 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Web UI allows user to delete a global Password Policy
Consequence: If the policy is deleted, any attempt to add a user with Kerberos password will fail. Neither CLI nor Web UI could be used to add the policy back.
Fix: Forbid deleting global Password Policy in IPA server
Result: An error is reported when user tries to remove global Password Policy both in Web UI and CLI
Comment 7 Namita Soman 2011-11-05 17:06:18 EDT 
An Operations error is thrown:
invalid 'group': Gettext('cannot delete global password policy', domain='ipa', localedir=None)

Could be a better formatted error.

Verified using ipa-server-2.1.3-8.el6.x86_64
Comment 8 errata-xmlrpc 2011-12-06 13:42:22 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.