Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47389 Steps: . Using default password policy: stored in SSHA . Give ACI to update all attributes including userpassword. aci: (targetattr ="*")(version 3.0;acl "allow all";allow (all) userdn="ldap:///anyone";) .Let uid=tuser0 replace other user uid=tuser1's userpassword as follows: {{{ $ldapmodify ... -D "uid=tuser0,dc=example,dc=com" -w password << EOF dn: uid=Nuser1,dc=example,dc=com changetype: modify replace: userpassword userpassword: {CLEAR}newuser1 EOF }}} Then, the tuser1's password is stored as a clear text. {{{ $ldapsearch ... userpassword dn: uid=Nuser1,dc=example,dc=com userpassword: newuser1 }}} Expected result: Ordinary user should not be allowed to override the password policy.
Thanks Nathan, I am marking bug as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html