RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 834047 - Fine Grained Password policy: if passwordHistory is on, deleting the password fails.
Summary: Fine Grained Password policy: if passwordHistory is on, deleting the password...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-20 17:51 UTC by Nathan Kinder
Modified: 2020-09-13 19:47 UTC (History)
3 users (show)

Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Internal access control prohibited deleting newly added/modified passwords. Consequence: Falied to delete newly added/modified passwords. Fix: Allow the password deletion if the operation has the modify right. Result: Deleting newly added/modified passwords is successful.
Clone Of:
Environment:
Last Closed: 2013-02-21 08:18:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 45 0 None None None 2020-09-13 19:47:35 UTC
Red Hat Product Errata RHSA-2013:0503 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Nathan Kinder 2012-06-20 17:51:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/45

https://bugzilla.redhat.com/show_bug.cgi?id=703311

{{{
Description of problem:

Password Policy Entry:
  dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
   cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
  ...
  passwordInHistory: 6
  passwordHistory: on
  ...

$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"
ldap_modify: Constraint violation (19)
        additional info: password in history

Note: if the value is not given, you can delete the password(s).
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"

Place the Constraint violation is being set:
(gdb) bt
#0  check_pw_syntax_ext (pb=0x22b8ac0, sdn=0x7f6750eefbc0,
    vals=0x7f671c008590, old_pw=0x7f6750ef1c68, e=0x7f671c001630, mod_op=1,
    smods=0x7f6750ef1c70) at ldap/servers/slapd/pw.c:1014
#1  0x0000003542689980 in op_shared_allow_pw_change (pb=0x22b8ac0,
    mod=0x7f671c0044d0, old_pw=0x7f6750ef1c68, smods=0x7f6750ef1c70)
    at ldap/servers/slapd/modify.c:1165
#2  0x0000003542687aa6 in do_modify (pb=0x22b8ac0)
    at ldap/servers/slapd/modify.c:353
#3  0x0000000000413ac4 in connection_dispatch_operation (conn=0x7f67522fd410,
    op=0x2658b10, pb=0x22b8ac0) at ldap/servers/slapd/connection.c:583
#4  0x00000000004152d4 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2328
#5  0x0000003262429633 in _pt_root (arg=0x2652ea0)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
#6  0x0000003252807761 in start_thread (arg=0x7f6750ef2700)
    at pthread_create.c:301
#7  0x00000032520e098d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

(gdb) p **va
$3 = {bv = {bv_len = 46,
    bv_val = 0x7f671c000a20 "{SSHA}hUBeG9p/rwgLj7WmNZwJcganEQ8eWvLYPsOQ2w=="},
  v_csnset = 0x7f671c003880, v_flags = 0}
(gdb) p *vals[0]
$5 = {bv = {bv_len = 12, bv_val = 0x7f671c007160 "testpassword"},
  v_csnset = 0x0, v_flags = 0}
}}}
Comment 1 Noriko Hosoi 2012-06-27 01:22:58 UTC 
Steps to verify:

Acceptance Password (pwdpolicy/pwpolicy):
trac45
Comment 2 RHEL Program Management 2012-07-10 07:10:22 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Program Management 2012-07-10 23:01:24 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 5 Ján Rusnačko 2012-11-12 15:25:07 UTC 
IP=192.168.122.185
PORT=22222
ROOT="dc=example,dc=com"
TESTPEOPLE_DN="ou=people,$ROOT"

1) Add user
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user0
cn: test0
sn: user0
userPassword: password
EOF

adding new entry "uid=test_user0,ou=people,dc=example,dc=com"

2) Add local password policy
[jrusnack@dstet dstet]$ /usr/lib64/dirsrv/slapd-dstet/ns-newpwpolicy.pl -D "cn=directory manager" -w Secret123 -p $PORT -h $IP -S "$TESTPEOPLE_DN"

adding new entry "cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=nsPwPolicy_cos,ou=people,dc=example,dc=com"

modifying entry "cn=config"

3) Set passwordHistory
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
changetype: modify
replace: passwordHistory
passwordhistory: on
-
replace: passwordInHistory
passwordInHistory: 6
-
replace: passwordChange
passwordChange: on
EOF

modifying entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

4) Restart
/usr/lib64/dirsrv/slapd-dstet/restart-slapd

5) Verify
[jrusnack@dstet dstet]$ ldapmodify -x -h $IP -p $PORT -D "uid=test_user0,$TESTPEOPLE_DN" -w password -v <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
changetype: modify
delete: userPassword
userPassword: password
EOF

ldap_initialize( ldap://192.168.122.185:22222 )
delete userPassword:
	password
modifying entry "uid=test_user0,ou=people,dc=example,dc=com"
ldap_modify: Insufficient access (50)
	additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=people,dc=example,dc=com'.

Version:

[jrusnack@dstet dstet]$ rpm -qa | grep 389
389-ds-base-libs-1.2.11.15-3.el6.x86_64
389-ds-base-1.2.11.15-3.el6.x86_64

Additional info: see trac ticket #455 https://fedorahosted.org/389/ticket/455
Comment 6 Noriko Hosoi 2012-11-12 18:33:10 UTC 
The Milestone of the ticket #455 is 1.3.0.rc1.  So, the fix is not included in 1.2.11.

ticket #455 https://fedorahosted.org/389/ticket/455
Milestone: 	1.3.0.rc1

They are related, but #45 and #455 are different 2 bugs...
Comment 7 Nathan Kinder 2012-11-17 01:08:14 UTC 
Putting this back into ON_QA state.  The original issue was fixed as a part of ticket #45, and ticket #455 is being dealt with in a later release of RHEL.
Comment 8 Ján Rusnačko 2012-11-19 10:59:22 UTC 
520|0 136 19111 1 1|trac45: resetting the test env
520|0 136 19111 1 2|trac45: add a test user uid=tuser0,ou=people,dc=example,dc=com
520|0 136 19111 1 3|trac45: add a fine grained password policy for the user
520|0 136 19111 1 4|trac45: set password history on
520|0 136 19111 1 5|trac45: delete userpassword
520|0 136 19111 1 6|trac45: add the same userpassword
520|0 136 19111 1 7|trac45: replace userpassword with the same one again
520|0 136 19111 1 8|trac45: set password history off
520|0 136 19111 1 9|trac45: removing the test user
520|0 136 19111 1 10|TestCase [trac45] result-> [PASS]
220|0 136 0 05:44:13|PASS

DS version: 389-ds-base-1.2.11.15-4.el6.x86_64

VERIFIED
Comment 10 errata-xmlrpc 2013-02-21 08:18:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html
Note You need to log in before you can comment on or make changes to this bug.