When using subtree password policies, each policy uses the same cosAttribute, and when we request the pwdpolicysubentry attribute, COS returns the first matching definition(regardless of the parent of the target entry).
Example:
Password policies set on the following branches, with an entry under each branch:
ou=lower,ou=people,dc=example,dc=com ou=lower,ou=lower,ou=people,dc=example,dc=com ou=lower,ou=lower,ou=lower,ou=people,dc=example,dc=com
Then search each entry to see what password policy is inherited through COS:
ldapsearch ... -b "dc=example,dc=com" -xLLL uid=* pwdpolicysubentry dn: uid=user2,ou=lower,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dlower\2Cou\3DPeople\2Cdc\3De xample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=lower,ou=People,dc=example,dc=com dn: uid=user3,ou=lower,ou=lower,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dlower\2Cou\3DPeople\2Cdc\3De xample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=lower,ou=People,dc=example,dc=com dn: uid=user4,ou=lower,ou=lower,ou=lower,ou=People,dc=example,dc=com pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry\2Cou\3Dlower\2Cou\3DPeople\2Cdc\3De xample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=lower,ou=People,dc=example,dc=com
COS pointer definitions are suppose to be applied to the branch on which they exist, but this does not appear to be happening correctly when using the same cosAttribute.
attachment 0001-Ticket-47980-Nested-COS-definitions-can-be-incorrect.patch
It does not change the result, but for the code readability, it'd be nice to remove the indentation of the line 3065 & 3066 (or put 3063 ~ 3066 in '{' and '}'). Thanks! BTW, you already have my ack. {{{ 3064 3060 / Now compare the names of the attributes / 3065 3061 com_Result = slapi_utf8casecmp((unsigned char)((cosAttributes)e1)->pAttrName,(unsigned char)((cosAttributes)e2)->pAttrName); 3066 3062 if(0 == com_Result) 3063 / Now compare the cosPriorities / 3064 com_Result = pTemplate->cosPriority - pTemplate1->cosPriority; 3065 if(0 == com_Result) 3066 return -1; 3067 3068 return com_Result; }}}
Nice catch Noriko, indentation fixed
14e5422..987580d master -> master commit 987580d Author: Mark Reynolds mreynolds@redhat.com Date: Mon Jan 5 16:56:09 2015 -0500
7be03f8..18eb6ce 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 18eb6ce
6c4ad25..3494fec 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit 3494fec
3f78755..864b677 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 864b67740555b72fb31d084cec884e321704968c
2a8da7e..322d7d0 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 322d7d0
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1311
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.