Description of problem:
User with admin rights can delete global password policy from webui.
Version-Release number of selected component (if applicable): 2.1.1 (Sept 21 build day)
How reproducible: always
Steps to Reproduce:
1. install ipa server
2. kinit as "admin" and bring up firefox, go to https://<ipaserver>
3. go to: "Policy" tab -> Password Policy sub menu -> select "Global Password" -> click "delete" to delete it
global password policy being deleted
global password can not be deleted even by admin
1. after global password policy being deleted, there is no way to add such policy since current WebUI does not offer "global" as a choice in "Add Password Policy" dialog
2. after the global password policy being deleted, cli: "ipa pwpolicy-show" will report error: password policy not found
3. after the global password policy being deleted, newly created user can not get kerberos ticket with initial password. IPA reports: user not found.
4. I didn't try this in latest build, I will post my test result once I updated my testing environment.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: Web UI allows user to delete a global Password Policy
Consequence: If the policy is deleted, any attempt to add a user with Kerberos password will fail. Neither CLI nor Web UI could be used to add the policy back.
Fix: Forbid deleting global Password Policy in IPA server
Result: An error is reported when user tries to remove global Password Policy both in Web UI and CLI
An Operations error is thrown:
invalid 'group': Gettext('cannot delete global password policy', domain='ipa', localedir=None)
Could be a better formatted error.
Verified using ipa-server-2.1.3-8.el6.x86_64
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.