See also related https://fedorahosted.org/389/ticket/45.
Steps to reproduce:
1) Set local password policy entry: dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com", cn=nsPwPolicyContainer,ou=People,dc=example,dc=com ... passwordStorageScheme: CLEAR passwordChange: on ...
2) Add new user to ou=People,dc=example,dc=com
ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager -a <<EOF dn: uid=test_user1,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetorgperson objectClass: organizationalPerson uid: test_user1 cn: test1 sn: user1 userPassword: testpassword EOF
3) Try to delete user`s password:
ldapmodify -h localhost -p 389 -D "uid=test_user1,ou=People,dc=example,dc=com" -w testpassword <<EOF dn: uid=test_user0,ou=People,dc=example,dc=com changetype: modify delete: userPassword userPassword: testpassword
Deleting password with password supplied for user uid=test_user0,ou=People,dc=example,dc=com ldap_modify: Insufficient access ldap_modify: additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=People,dc=example,dc=com'.
DS version: 389-ds-base-1.2.11.13-1.el6.x86_64
This is already covered by pwdmodify/pwdmodify-qa.sh bug834047_1
git patch file (master) 0001-Trac-Ticket-455-Insufficient-rights-to-unhashed-user.patch
Bug Description: Setting CLEAR to the passwordStrageScheme, then deleting a userpassword with the value fails due to the lack of right to delete the corresponding pseudo attribute.
Fix Description: Skip evaluating the aci of the pseudo attribute in the deletion as being done in the replacement.
Reviewed by Rich (Thank you!!)
Pushed to master.
$ git merge trac455 Updating 53e16ed..d6d9d07 Fast-forward ldap/servers/plugins/acl/acl.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-)
$ git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 920 bytes, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 53e16ed..d6d9d07 master -> master
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918701
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.0.rc1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/455
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.