Bug 834047 - Fine Grained Password policy: if passwordHistory is on, deleting the password fails.
Summary: Fine Grained Password policy: if passwordHistory is on, deleting the password...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
Depends On:
TreeView+ depends on / blocked
Reported: 2012-06-20 17:51 UTC by Nathan Kinder
Modified: 2013-02-21 08:18 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Cause: Internal access control prohibited deleting newly added/modified passwords. Consequence: Falied to delete newly added/modified passwords. Fix: Allow the password deletion if the operation has the modify right. Result: Deleting newly added/modified passwords is successful.
Clone Of:
Last Closed: 2013-02-21 08:18:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0503 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Nathan Kinder 2012-06-20 17:51:32 UTC
This bug is created as a clone of upstream ticket:


Description of problem:

Password Policy Entry:
  dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
  passwordInHistory: 6
  passwordHistory: on

$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"
ldap_modify: Constraint violation (19)
        additional info: password in history

Note: if the value is not given, you can delete the password(s).
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"

Place the Constraint violation is being set:
(gdb) bt
#0  check_pw_syntax_ext (pb=0x22b8ac0, sdn=0x7f6750eefbc0,
    vals=0x7f671c008590, old_pw=0x7f6750ef1c68, e=0x7f671c001630, mod_op=1,
    smods=0x7f6750ef1c70) at ldap/servers/slapd/pw.c:1014
#1  0x0000003542689980 in op_shared_allow_pw_change (pb=0x22b8ac0,
    mod=0x7f671c0044d0, old_pw=0x7f6750ef1c68, smods=0x7f6750ef1c70)
    at ldap/servers/slapd/modify.c:1165
#2  0x0000003542687aa6 in do_modify (pb=0x22b8ac0)
    at ldap/servers/slapd/modify.c:353
#3  0x0000000000413ac4 in connection_dispatch_operation (conn=0x7f67522fd410,
    op=0x2658b10, pb=0x22b8ac0) at ldap/servers/slapd/connection.c:583
#4  0x00000000004152d4 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2328
#5  0x0000003262429633 in _pt_root (arg=0x2652ea0)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
#6  0x0000003252807761 in start_thread (arg=0x7f6750ef2700)
    at pthread_create.c:301
#7  0x00000032520e098d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

(gdb) p **va
$3 = {bv = {bv_len = 46,
    bv_val = 0x7f671c000a20 "{SSHA}hUBeG9p/rwgLj7WmNZwJcganEQ8eWvLYPsOQ2w=="},
  v_csnset = 0x7f671c003880, v_flags = 0}
(gdb) p *vals[0]
$5 = {bv = {bv_len = 12, bv_val = 0x7f671c007160 "testpassword"},
  v_csnset = 0x0, v_flags = 0}

Comment 1 Noriko Hosoi 2012-06-27 01:22:58 UTC
Steps to verify:

Acceptance Password (pwdpolicy/pwpolicy):

Comment 2 RHEL Product and Program Management 2012-07-10 07:10:22 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 3 RHEL Product and Program Management 2012-07-10 23:01:24 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 5 Ján Rusnačko 2012-11-12 15:25:07 UTC

1) Add user
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user0
cn: test0
sn: user0
userPassword: password

adding new entry "uid=test_user0,ou=people,dc=example,dc=com"

2) Add local password policy
[jrusnack@dstet dstet]$ /usr/lib64/dirsrv/slapd-dstet/ns-newpwpolicy.pl -D "cn=directory manager" -w Secret123 -p $PORT -h $IP -S "$TESTPEOPLE_DN"

adding new entry "cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=nsPwPolicy_cos,ou=people,dc=example,dc=com"

modifying entry "cn=config"

3) Set passwordHistory
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
changetype: modify
replace: passwordHistory
passwordhistory: on
replace: passwordInHistory
passwordInHistory: 6
replace: passwordChange
passwordChange: on

modifying entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

4) Restart

5) Verify
[jrusnack@dstet dstet]$ ldapmodify -x -h $IP -p $PORT -D "uid=test_user0,$TESTPEOPLE_DN" -w password -v <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
changetype: modify
delete: userPassword
userPassword: password

ldap_initialize( ldap:// )
delete userPassword:
modifying entry "uid=test_user0,ou=people,dc=example,dc=com"
ldap_modify: Insufficient access (50)
	additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=people,dc=example,dc=com'.


[jrusnack@dstet dstet]$ rpm -qa | grep 389

Additional info: see trac ticket #455 https://fedorahosted.org/389/ticket/455

Comment 6 Noriko Hosoi 2012-11-12 18:33:10 UTC
The Milestone of the ticket #455 is 1.3.0.rc1.  So, the fix is not included in 1.2.11.

ticket #455 https://fedorahosted.org/389/ticket/455
Milestone: 	1.3.0.rc1

They are related, but #45 and #455 are different 2 bugs...

Comment 7 Nathan Kinder 2012-11-17 01:08:14 UTC
Putting this back into ON_QA state.  The original issue was fixed as a part of ticket #45, and ticket #455 is being dealt with in a later release of RHEL.

Comment 8 Ján Rusnačko 2012-11-19 10:59:22 UTC
520|0 136 19111 1 1|trac45: resetting the test env
520|0 136 19111 1 2|trac45: add a test user uid=tuser0,ou=people,dc=example,dc=com
520|0 136 19111 1 3|trac45: add a fine grained password policy for the user
520|0 136 19111 1 4|trac45: set password history on
520|0 136 19111 1 5|trac45: delete userpassword
520|0 136 19111 1 6|trac45: add the same userpassword
520|0 136 19111 1 7|trac45: replace userpassword with the same one again
520|0 136 19111 1 8|trac45: set password history off
520|0 136 19111 1 9|trac45: removing the test user
520|0 136 19111 1 10|TestCase [trac45] result-> [PASS]
220|0 136 0 05:44:13|PASS

DS version: 389-ds-base-


Comment 10 errata-xmlrpc 2013-02-21 08:18:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.