Issue #45: Fine Grained Password policy: if passwordHistory is on, deleting the password fails. - 389-ds-base

389-ds-base

#45 Fine Grained Password policy: if passwordHistory is on, deleting the password fails.

Closed: wontfix None Opened 12 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=703311

Description of problem:

Password Policy Entry:
  dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
   cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
  ...
  passwordInHistory: 6
  passwordHistory: on
  ...

$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"
ldap_modify: Constraint violation (19)
        additional info: password in history

Note: if the value is not given, you can delete the password(s).
$ ldapmodify -x -h localhost -p 389 -D 'uid=nd,ou=People,dc=example,dc=com' -w
testpassword
dn: uid=nd, ou=People, dc=example, dc=com
changetype: modify
delete: userPassword

modifying entry "uid=nd, ou=People, dc=example, dc=com"

Place the Constraint violation is being set:
(gdb) bt
#0  check_pw_syntax_ext (pb=0x22b8ac0, sdn=0x7f6750eefbc0,
    vals=0x7f671c008590, old_pw=0x7f6750ef1c68, e=0x7f671c001630, mod_op=1,
    smods=0x7f6750ef1c70) at ldap/servers/slapd/pw.c:1014
#1  0x0000003542689980 in op_shared_allow_pw_change (pb=0x22b8ac0,
    mod=0x7f671c0044d0, old_pw=0x7f6750ef1c68, smods=0x7f6750ef1c70)
    at ldap/servers/slapd/modify.c:1165
#2  0x0000003542687aa6 in do_modify (pb=0x22b8ac0)
    at ldap/servers/slapd/modify.c:353
#3  0x0000000000413ac4 in connection_dispatch_operation (conn=0x7f67522fd410,
    op=0x2658b10, pb=0x22b8ac0) at ldap/servers/slapd/connection.c:583
#4  0x00000000004152d4 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2328
#5  0x0000003262429633 in _pt_root (arg=0x2652ea0)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
#6  0x0000003252807761 in start_thread (arg=0x7f6750ef2700)
    at pthread_create.c:301
#7  0x00000032520e098d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

(gdb) p **va
$3 = {bv = {bv_len = 46,
    bv_val = 0x7f671c000a20 "{SSHA}hUBeG9p/rwgLj7WmNZwJcganEQ8eWvLYPsOQ2w=="},
  v_csnset = 0x7f671c003880, v_flags = 0}
(gdb) p *vals[0]
$5 = {bv = {bv_len = 12, bv_val = 0x7f671c007160 "testpassword"},
  v_csnset = 0x0, v_flags = 0}

nhosoi commented 12 years ago

git patch file (master)
0001-Trac-Ticket-45-Fine-Grained-Password-policy.patch

nhosoi commented 12 years ago

Bug description: To allow replicating unhashed password, an internal
entry contains the key value pair when the entry is newly added or
the password is updated. In that case, deleting the userpassword
attribute leaves the unhashed password in the internal entry.
If you attempt to add a new userpassword, the remaining unhashed
password makes the attempt fail due to LDAP_TYPE_OR_VALUE_EXISTS.

Fix description: This patch cleans up the unhashed password if a
userpassword is deleted and the unhashed password is found in the
internal entry. If it does not exist, the deletion does nothing.
(If the entry is read from the database, the unhashed password
does not exist in the internal entry since it is not stored in
the database.)

mreynolds commented 12 years ago

Looks good, ack.

nhosoi commented 12 years ago

Reviewed by Rich (Thanks!!)

Pushed to master.

$ git merge work
Updating 453eb97..b8e6b13
Fast-forward
ldap/servers/slapd/entry.c | 24 +++++++++++++++++-----
ldap/servers/slapd/entrywsi.c | 20 ++++++++++++++----
ldap/servers/slapd/modify.c | 37 +++++++++++++++++++++++------------
ldap/servers/slapd/pw.c | 16 ++++++++++++++-
ldap/servers/slapd/slapi-private.h | 1 +
5 files changed, 73 insertions(+), 25 deletions(-)

$ git push
Counting objects: 69, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (29/29), done.
Writing objects: 100% (29/29), 4.99 KiB, done.
Total 29 (delta 25), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
453eb97..b8e6b13 master -> master

I'm also changing the Milestone to 1.2.11.rc1.

nkinder commented 11 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=834047

nkinder commented 11 years ago

Added initial screened field value.

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.rc1

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/45

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

nhosoi

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.2.11.rc1

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=703311
https://bugzilla.redhat.com/show_bug.cgi?id=834047

origin

None

389-ds-base

Source Code

#45 Fine Grained Password policy: if passwordHistory is on, deleting the password fails. Closed: wontfix None Opened 12 years ago by mkosek.

Metadata

#45 Fine Grained Password policy: if passwordHistory is on, deleting the password fails.

Closed: wontfix None Opened 12 years ago by mkosek.