802786 – FreeIPA WebUI displays "Insufficient access: invalid credentials" when a password doesn't meet policy requirements

Bug 802786 - FreeIPA WebUI displays "Insufficient access: invalid credentials" when a password doesn't meet policy requirements

Summary: FreeIPA WebUI displays "Insufficient access: invalid credentials" when a pass...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-13 14:09 UTC by Dmitri Pal
Modified:	2012-06-20 13:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-2.2.0-8.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:20:47 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Dmitri Pal 2012-03-13 14:09:56 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2315

FreeIPA WebUI displays "Insufficient access: invalid credentials" when a password doesn't meet policy requirements...

This is an issue post migration to FreeIPA as many users would like to be able to reset their passwords, and they believe the error is actually due to their permissions when in fact it is not.

Could this webui fix be back ported to 2.1.x?

Comment 1 Rob Crittenden 2012-03-13 18:54:04 UTC

Yes, the password change part from 2315 is relatively short (the patch includes other unrelated changes).

This also requires the patch from ticket https://fedorahosted.org/freeipa/ticket/2067 which includes the correct reason for rejecting a password change. This one will require a bit of work as the password plugin changed quite between 2.1 and 2.2.

Comment 2 Jenny Severance 2012-03-20 19:17:23 UTC

Please add steps to reproduce this issue. Thanks

Comment 3 Rob Crittenden 2012-03-20 21:13:21 UTC

Update the password policy to set things like min length, number of character sets, etc.

In the UI log in as a user and change your own password to something that doesn't meet this criteria. You should get a reasonable error message back.

Comment 4 Martin Kosek 2012-03-30 06:59:10 UTC

Fixed upstream:

master: b73fc6e550fed9a1b6d83a03fa16f43b361ec8aa
ipa-2-2: afa1ab99cdb4313266aa8791fe8c543694a64790

Comment 11 Martin Kosek 2012-04-30 12:43:33 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 12 Namita Soman 2012-05-03 13:44:01 UTC

Verified using ipa-server-2.2.0-12.el6.x86_64

The user tried to reset their password to a 2 char password, and got error:
Constraint violation: Password is too short

Comment 14 errata-xmlrpc 2012-06-20 13:20:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.