Bug 834047 - Fine Grained Password policy: if passwordHistory is on, deleting the password fails.
Fine Grained Password policy: if passwordHistory is on, deleting the password...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-20 13:51 EDT by Nathan Kinder
Modified: 2013-02-21 03:18 EST (History)
3 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Internal access control prohibited deleting newly added/modified passwords. Consequence: Falied to delete newly added/modified passwords. Fix: Allow the password deletion if the operation has the modify right. Result: Deleting newly added/modified passwords is successful.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:18:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathan Kinder 2012-06-20 13:51:32 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/45

https://bugzilla.redhat.com/show_bug.cgi?id=703311

{{{
Description of problem:

Password Policy Entry:
  dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
   cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
  ...
  passwordInHistory: 6
  passwordHistory: on
  ...

$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"
ldap_modify: Constraint violation (19)
        additional info: password in history

Note: if the value is not given, you can delete the password(s).
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"

Place the Constraint violation is being set:
(gdb) bt
#0  check_pw_syntax_ext (pb=0x22b8ac0, sdn=0x7f6750eefbc0,
    vals=0x7f671c008590, old_pw=0x7f6750ef1c68, e=0x7f671c001630, mod_op=1,
    smods=0x7f6750ef1c70) at ldap/servers/slapd/pw.c:1014
#1  0x0000003542689980 in op_shared_allow_pw_change (pb=0x22b8ac0,
    mod=0x7f671c0044d0, old_pw=0x7f6750ef1c68, smods=0x7f6750ef1c70)
    at ldap/servers/slapd/modify.c:1165
#2  0x0000003542687aa6 in do_modify (pb=0x22b8ac0)
    at ldap/servers/slapd/modify.c:353
#3  0x0000000000413ac4 in connection_dispatch_operation (conn=0x7f67522fd410,
    op=0x2658b10, pb=0x22b8ac0) at ldap/servers/slapd/connection.c:583
#4  0x00000000004152d4 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2328
#5  0x0000003262429633 in _pt_root (arg=0x2652ea0)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
#6  0x0000003252807761 in start_thread (arg=0x7f6750ef2700)
    at pthread_create.c:301
#7  0x00000032520e098d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

(gdb) p **va
$3 = {bv = {bv_len = 46,
    bv_val = 0x7f671c000a20 "{SSHA}hUBeG9p/rwgLj7WmNZwJcganEQ8eWvLYPsOQ2w=="},
  v_csnset = 0x7f671c003880, v_flags = 0}
(gdb) p *vals[0]
$5 = {bv = {bv_len = 12, bv_val = 0x7f671c007160 "testpassword"},
  v_csnset = 0x0, v_flags = 0}
}}}
Comment 1 Noriko Hosoi 2012-06-26 21:22:58 EDT
Steps to verify:

Acceptance Password (pwdpolicy/pwpolicy):
trac45
Comment 2 RHEL Product and Program Management 2012-07-10 03:10:22 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Product and Program Management 2012-07-10 19:01:24 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 5 Ján Rusnačko 2012-11-12 10:25:07 EST
IP=192.168.122.185
PORT=22222
ROOT="dc=example,dc=com"
TESTPEOPLE_DN="ou=people,$ROOT"

1) Add user
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user0
cn: test0
sn: user0
userPassword: password
EOF

adding new entry "uid=test_user0,ou=people,dc=example,dc=com"

2) Add local password policy
[jrusnack@dstet dstet]$ /usr/lib64/dirsrv/slapd-dstet/ns-newpwpolicy.pl -D "cn=directory manager" -w Secret123 -p $PORT -h $IP -S "$TESTPEOPLE_DN"

adding new entry "cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

adding new entry "cn=nsPwPolicy_cos,ou=people,dc=example,dc=com"

modifying entry "cn=config"

3) Set passwordHistory
[jrusnack@dstet dstet]$ ldapmodify -h $IP -p $PORT -D "cn=directory manager" -w Secret123 -a <<EOF
dn: cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
changetype: modify
replace: passwordHistory
passwordhistory: on
-
replace: passwordInHistory
passwordInHistory: 6
-
replace: passwordChange
passwordChange: on
EOF

modifying entry "cn=cn\=nsPwPolicyEntry\,ou\=people\,dc\=example\,dc\=com,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com"

4) Restart
/usr/lib64/dirsrv/slapd-dstet/restart-slapd

5) Verify
[jrusnack@dstet dstet]$ ldapmodify -x -h $IP -p $PORT -D "uid=test_user0,$TESTPEOPLE_DN" -w password -v <<EOF
dn: uid=test_user0,$TESTPEOPLE_DN
changetype: modify
delete: userPassword
userPassword: password
EOF

ldap_initialize( ldap://192.168.122.185:22222 )
delete userPassword:
	password
modifying entry "uid=test_user0,ou=people,dc=example,dc=com"
ldap_modify: Insufficient access (50)
	additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=people,dc=example,dc=com'.

Version:

[jrusnack@dstet dstet]$ rpm -qa | grep 389
389-ds-base-libs-1.2.11.15-3.el6.x86_64
389-ds-base-1.2.11.15-3.el6.x86_64

Additional info: see trac ticket #455 https://fedorahosted.org/389/ticket/455
Comment 6 Noriko Hosoi 2012-11-12 13:33:10 EST
The Milestone of the ticket #455 is 1.3.0.rc1.  So, the fix is not included in 1.2.11.

ticket #455 https://fedorahosted.org/389/ticket/455
Milestone: 	1.3.0.rc1

They are related, but #45 and #455 are different 2 bugs...
Comment 7 Nathan Kinder 2012-11-16 20:08:14 EST
Putting this back into ON_QA state.  The original issue was fixed as a part of ticket #45, and ticket #455 is being dealt with in a later release of RHEL.
Comment 8 Ján Rusnačko 2012-11-19 05:59:22 EST
520|0 136 19111 1 1|trac45: resetting the test env
520|0 136 19111 1 2|trac45: add a test user uid=tuser0,ou=people,dc=example,dc=com
520|0 136 19111 1 3|trac45: add a fine grained password policy for the user
520|0 136 19111 1 4|trac45: set password history on
520|0 136 19111 1 5|trac45: delete userpassword
520|0 136 19111 1 6|trac45: add the same userpassword
520|0 136 19111 1 7|trac45: replace userpassword with the same one again
520|0 136 19111 1 8|trac45: set password history off
520|0 136 19111 1 9|trac45: removing the test user
520|0 136 19111 1 10|TestCase [trac45] result-> [PASS]
220|0 136 0 05:44:13|PASS

DS version: 389-ds-base-1.2.11.15-4.el6.x86_64

VERIFIED
Comment 10 errata-xmlrpc 2013-02-21 03:18:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Note You need to log in before you can comment on or make changes to this bug.