Ticket #142 (new enhancement)
[RFE] Default password syntax settings don't work with fine-grained policies
|Reported by:||mkosek||Owned by:|
|Component:||Security - Password Policy||Version:|
|Review:||Needs Review||Ticket origin:||Community|
|Red Hat Bugzilla:||190862||Screened:||yes|
When using a global password policy for syntax checking, there are some default settings that will be used (such as a minimum length of 8) if the config attributes don't exist in cn=config. This doesn't seem to work with the fine-grained policies. Here are some steps to reproduce the problem: 1. - Enable global syntax checking, setting the minLength to 6. 2. - Enable fine-grained password policies. 3. - Create a subtree-level policy on "ou=People", enabling syntax checking with the default values (minLength will be displayed as 8 in Console). 4. - Attempt to change a password of a user outside of "ou=People" with a password of 5 characters long. This should be rejected with an err=19. 5. - Try step 4 again, but with a password length of 6 characters. This should work. 6. - Try step 4 again, but with a user inside of "ou=People". This should fail with an err=19, but it will succeed! To work around the problem, you can add the password syntax attributes to the fine-grained policy entry explicitly. This can be done via the Console UI by setting each of the syntax settings to a non-default value, saving it, then setting them to what you want (even if you want the defaults) and saving again.
Note: See TracTickets for help on using tickets.