RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
User with admin rights can delete global password policy from webui.


Version-Release number of selected component (if applicable): 2.1.1 (Sept 21 build day)


How reproducible: always


Steps to Reproduce:
1. install ipa server 
2. kinit as "admin" and bring up firefox, go to https://<ipaserver>
3. go to: "Policy" tab -> Password Policy sub menu -> select "Global Password" -> click "delete" to delete it
  
Actual results:
global password policy being deleted

Expected results:
global password can not be deleted even by admin

Additional info:
1. after global password policy being deleted, there is no way to add such policy since current WebUI does not offer "global" as a choice in "Add Password Policy" dialog

2. after the global password policy being deleted, cli: "ipa pwpolicy-show" will report error: password policy not found

3. after the global password policy being deleted, newly created user can not get kerberos ticket with initial password. IPA reports: user not found.

4. I didn't try this in latest build, I will post my test result once I updated my testing environment.

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1936

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/c0879cd00b17b61de54b52cb24a61ce85374cae4
ipa-2-1: https://fedorahosted.org/freeipa/changeset/1e56498479e15989e85777f22bd4d775023b2e73

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Web UI allows user to delete a global Password Policy
Consequence: If the policy is deleted, any attempt to add a user with Kerberos password will fail. Neither CLI nor Web UI could be used to add the policy back.
Fix: Forbid deleting global Password Policy in IPA server
Result: An error is reported when user tries to remove global Password Policy both in Web UI and CLI

An Operations error is thrown:
invalid 'group': Gettext('cannot delete global password policy', domain='ipa', localedir=None)

Could be a better formatted error.

Verified using ipa-server-2.1.3-8.el6.x86_64

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html