Ticket #142 (new enhancement)

Opened 2 years ago

Last modified 21 months ago

[RFE] Default password syntax settings don't work with fine-grained policies

Reported by: mkosek Owned by:
Priority: major Milestone: FUTURE
Component: Security - Password Policy Version:
Keywords: Cc:
Blocked By: Blocking:
Review: Needs Review Ticket origin: Community
Red Hat Bugzilla: 190862

Description

https://bugzilla.redhat.com/show_bug.cgi?id=190862

When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config.  This doesn't seem to work with the
fine-grained policies.

Here are some steps to reproduce the problem:

 1. - Enable global syntax checking, setting the minLength to 6.
 2. - Enable fine-grained password policies.
 3. - Create a subtree-level policy on "ou=People", enabling syntax checking
      with the default values (minLength will be displayed as 8 in Console).
 4. - Attempt to change a password of a user outside of "ou=People" with a
      password of 5 characters long.  This should be rejected with an err=19.
 5. - Try step 4 again, but with a password length of 6 characters.  This
      should work.
 6. - Try step 4 again, but with a user inside of "ou=People".  This should
      fail with an err=19, but it will succeed!

To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly.  This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.

Change History

comment:1 Changed 2 years ago by rmeggins

  • Milestone changed from NEEDS_TRIAGE to FUTURE

batch update moving tickets to future

comment:2 Changed 2 years ago by rmeggins

  • Owner rmeggins deleted

comment:3 Changed 21 months ago by rmeggins

  • Ticket origin set to Community

set default ticket origin to Community

comment:4 Changed 20 months ago by nkinder

  • screened set to 1

Added initial screened field value.

Note: See TracTickets for help on using tickets.