Ticket #142 (closed enhancement: fixed)

Opened 4 years ago

Last modified 5 months ago

[RFE] Default password syntax settings don't work with fine-grained policies

Reported by: mkosek Owned by: nhosoi
Priority: major Milestone: 1.3.5.0
Component: Security - Password Policy Version:
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin: Community
Red Hat Bugzilla: 190862

Description

https://bugzilla.redhat.com/show_bug.cgi?id=190862

When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config.  This doesn't seem to work with the
fine-grained policies.

Here are some steps to reproduce the problem:

 1. - Enable global syntax checking, setting the minLength to 6.
 2. - Enable fine-grained password policies.
 3. - Create a subtree-level policy on "ou=People", enabling syntax checking
      with the default values (minLength will be displayed as 8 in Console).
 4. - Attempt to change a password of a user outside of "ou=People" with a
      password of 5 characters long.  This should be rejected with an err=19.
 5. - Try step 4 again, but with a password length of 6 characters.  This
      should work.
 6. - Try step 4 again, but with a user inside of "ou=People".  This should
      fail with an err=19, but it will succeed!

To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly.  This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.

Attachments

0001-Ticket-142-RFE-Default-password-syntax-settings-don-.patch (8.8 KB) - added by nhosoi 5 months ago.
git patch file (master)
0002-Ticket-142-CI-test-added-test-cases-for-ticket-142.patch (14.4 KB) - added by nhosoi 5 months ago.
git patch file (master) -- CI test

Change History

comment:1 Changed 4 years ago by rmeggins

  • Milestone changed from NEEDS_TRIAGE to FUTURE

batch update moving tickets to future

comment:2 Changed 4 years ago by rmeggins

  • Owner rmeggins deleted

comment:3 Changed 4 years ago by rmeggins

  • Ticket origin set to Community

set default ticket origin to Community

comment:4 Changed 4 years ago by nkinder

  • screened set to 1

Added initial screened field value.

comment:5 Changed 5 months ago by nhosoi

  • Milestone changed from FUTURE to 1.3.5 eval

comment:6 Changed 5 months ago by nhosoi

  • Owner set to nhosoi
  • Status changed from new to accepted

Changed 5 months ago by nhosoi

git patch file (master)

Changed 5 months ago by nhosoi

git patch file (master) -- CI test

comment:7 Changed 5 months ago by nhosoi

  • Review changed from Needs Review to review?
  • Milestone changed from 1.3.5 eval to 1.3.5.0

comment:8 Changed 5 months ago by firstyear

  • Review changed from review? to ack

Built and tested, looks good to me.

comment:9 Changed 5 months ago by nhosoi

  • Status changed from accepted to closed
  • Resolution set to fixed

Reviewed by William (Thank you!!)

Pushed to master:

f132cf4..f5b9053 master -> master
commit af1fc5e7711185d921ffb67f6d4a870dfa3bbcde
commit 1c3fa84d3ef74c660ee0743e2d5516d066f948b7

Note: See TracTickets for help on using tickets.