Let's have passwordInHistory = N and a user with its N passwords in history. We decrease passwordInHistory to a value smaller than N.
If a user changes its password to the oldest value in its history (of N values), it's forbidden but it should be allowed.
testcase:
1) configure password history feature with, for instance:
passwordInHistory: 4 passwordHistory: on
2) add a new user
[root@rh6 ~]# ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12 dn: uid=user50,ou=people,o=redhat changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: user50 cn: user50 sn: user50 userpassword: user50
3) change password 4 times.
4) verify passwordHistory has the four values:
ldapsearch -xLLL -p 2389 -h localhost -D "cn=directory manager" -w secret12 -b "uid=user50,ou=people,o=redhat" passwordHistory dn: uid=user50,ou=people,o=redhat passwordHistory: 20150724075220Zuser50 passwordHistory: 20150724075328Zuser50_1 passwordHistory: 20150724075341Zuser50_2 passwordHistory: 20150724075352Zuser50_3
5) decrease passwordInHistory to 3.
ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12 dn: cn=config changetype: modify replace: passwordInHistory passwordInHistory: 3
6) change password using the original password:
ldapmodify -p 2389 -h localhost -D "uid=user50,ou=people,o=redhat" -w user50_4 dn: uid=user50,ou=people,o=redhat changetype: modify replace: userPassword userPassword: user50
modifying entry "uid=user50,ou=people,o=redhat" ldap_modify: Constraint violation (19) additional info: password in history
Additional comments:
in function update_pw_history
if ( i >= pwpolicy->pw_inhistory ) { /* replace the oldest password in history */
instead of just replacing the oldest value, we could keep the N newest values (N == passwordInHistory) and replace the oldest in this group. As the same time the new passwordHistory of user entry will keep the right numbers of values.
Workaround: trim the values as cn=directory manager
Thanks to German for signing up for this ticket.
Set the milestone to 1.3.4.3.
git patch file (master) 0001-Ticket-48228-wrong-password-check-if-passwordInHisto.patch
git patch file (master) -- CI test 0002-Ticket-48228-CI-test-added-test-cases-for-ticket-482.patch
Reviewed by Mark (Thank you!!)
Pushed to master: c1912cd..6b138a2 master -> master commit 1a11912 commit 6b138a2
Pushed to 389-ds-base-1.3.4: c842dbe..e62b481 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 commit dd85ee9 commit e62b481
Pushed to 389-ds-base-1.3.3: 67e8973..08eabd5 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 67c8164 commit 08eabd5
Pushed to 389-ds-base-1.2.11: aa08398..fd1c326 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit fd1c326
git patch file (master) -- revised: fixing the regression in the previous patch (broken qsort) 0001-Ticket-48228-wrong-password-check-if-passwordInHisto.2.patch
Thank you, Rich! Nathan gave me his comments on IRC and I revised the previous patch based on his comment...
Thank you sooooo much, Rich!
Pushed to master: b011ae3..391acfc master -> master commit 391acfc
Pushed to 389-ds-base-1.3.4: 2231ee4..096b386 389-ds-base-1.3.4 -> 389-ds-base-1.3.4 commit 096b386
Pushed to 389-ds-base-1.3.3: ef0a295..90cf9fd 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 90cf9fd
Pushed to 389-ds-base-1.2.11: 992541f..1e2793d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 1e2793d
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1559
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.