#3968 Directory Manager password change does not respect user password policy
Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1017730

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

Password change for ipa user using ldappasswd sets the password expiration to
default 90 days.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.4.x86_64

How reproducible:
Always.

Steps to Reproduce:

# ipa pwpolicy-find
  Group: foogroup
  Max lifetime (days): 60
  Min lifetime (hours): 0
  Priority: 0

  Group: global_policy
  Max lifetime (days): 1000
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 6
  Max failures: 6
  Failure reset interval: 30
  Lockout duration: 300

foouser is a part of group foogroup

# ipa user-show foouser --all
<snip>
  krbpasswordexpiration: 20131207143016Z
</snip>

Pasword Expiration is set to 60 days as expected since it was changed by
the user and the user foouser is a part of group foogroup.

Then we change the password using ldappasswd :

# ldappasswd -D "cn=Directory Manager" -s Secret123 ...
uid=foouser,cn=users,cn=accounts,dc=example,dc=com -w Secret123

Actual results:

# ipa user-show foouser --all
<snip>
  krbpasswordexpiration: 20140106144141Z
</snip>

Actual Results:

It sets back to 90 days.


Expected results:

It should set to the foogroup password policy that is 60 days

Additional info:

I have a patch since I was investigating the original issue.

Patch freeipa-mkosek-429-administrative-password-change-does-not-respect-pass.patch sent for review

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata