From fbc3556b315c0423a8c6ef2633e79e05a98b50b9 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Sep 01 2017 13:21:12 +0000
Subject: Ticket 49370 - local password policies should use the same defaults as the global policy


Description:  When a local password policy (subtree/user) is created it does not use
              the same defaults as the global policy.  This causes inconsistent behavior.

https://pagure.io/389-ds-base/issue/49370

Reviewed by: firstyear(Thanks!)

---

diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
index eeed135..f6ee167 100644
--- a/dirsrvtests/tests/suites/password/regression_test.py
+++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -20,8 +20,14 @@ log = logging.getLogger(__name__)
 
 user_data = {'cn': 'CNpwtest1', 'sn': 'SNpwtest1', 'uid': 'UIDpwtest1', 'mail': 'MAILpwtest1@redhat.com',
              'givenname': 'GNpwtest1'}
-TEST_PASSWORDS1 = list(user_data.values())
-TEST_PASSWORDS1.append('People')
+TEST_PASSWORDS = list(user_data.values())
+# Add substring/token values of "CNpwtest1"
+TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
+                    'ZCNpwtest1', 'CNpwtest1Z', 'ZCNpwtest1Z',
+                    'ZZCNpwtest1', 'CNpwtest1ZZ', 'ZZCNpwtest1ZZ',
+                    'ZZZCNpwtest1', 'CNpwtest1ZZZ', 'ZZZCNpwtest1ZZZ',
+                    'ZZZZZZCNpwtest1ZZZZZZZZ']
+
 TEST_PASSWORDS2 = (
     'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
 
@@ -32,7 +38,7 @@ def passw_policy(topo, request):
 
     log.info('Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on')
     topo.standalone.config.set('PasswordExp', 'on')
-    topo.standalone.config.set('PasswordCheckSyntax', 'on')
+    topo.standalone.config.set('PasswordCheckSyntax', 'off')
     topo.standalone.config.set('nsslapd-pwpolicy-local', 'on')
 
     subtree = 'ou=people,{}'.format(SUFFIX)
@@ -71,14 +77,14 @@ def test_user(topo, request):
 
 
 @pytest.mark.bz1465600
-@pytest.mark.parametrize("user_pasw", TEST_PASSWORDS1)
+@pytest.mark.parametrize("user_pasw", TEST_PASSWORDS)
 def test_trivial_passw_check(topo, passw_policy, test_user, user_pasw):
     """PasswordCheckSyntax attribute fails to validate cn, sn, uid, givenname, ou and mail attributes
 
     :id: bf9fe1ef-56cb-46a3-a6f8-5530398a06dc
     :feature: Password policy
     :setup: Standalone instance.
-    :steps: 1. Configure password policy with PasswordCheckSyntax set to on.
+    :steps: 1. Configure local password policy with PasswordCheckSyntax set to on.
             2. Add users with cn, sn, uid, givenname, mail and userPassword attributes.
             3. Configure subtree password policy for ou=people subtree.
             4. Reset userPassword with trivial values like cn, sn, uid, givenname, ou and mail attributes.
@@ -101,19 +107,18 @@ def test_trivial_passw_check(topo, passw_policy, test_user, user_pasw):
         test_user.set('userPassword', PASSWORD)
 
 
-@pytest.mark.bz1468284
-@pytest.mark.parametrize("user_pasw", TEST_PASSWORDS2)
-def test_cn_sn_like_passw(topo, passw_policy, test_user, user_pasw):
+@pytest.mark.parametrize("user_pasw", TEST_PASSWORDS)
+def test_global_vs_local(topo, passw_policy, test_user, user_pasw):
     """Passwords rejected if its similar to uid, cn, sn, givenname, ou and mail attributes
 
     :id: dfd6cf5d-8bcd-4895-a691-a43ad9ec1be8
     :feature: Password policy
-    :setup: Standalone instance 
-    :steps: 1. Configure password policy with PasswordCheckSyntax set to on
+    :setup: Standalone instance
+    :steps: 1. Configure global password policy with PasswordCheckSyntax set to off
             2. Add users with cn, sn, uid, mail, givenname and userPassword attributes
             3. Replace userPassword similar to cn, sn, uid, givenname, ou and mail attributes
     :expectedresults:
-            1. Enabling PasswordCheckSyntax should PASS.
+            1. Disabling the local policy should PASS.
             2. Add users should PASS.
             3. Resetting userPasswords similar to cn, sn, uid, givenname, ou and mail attributes should PASS.
     """
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 1be5b7f..e625962 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1730,6 +1730,27 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
                 goto done;
             }
 
+            /* Set the default values */
+            pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
+            pwdpolicy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
+            pwdpolicy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
+            pwdpolicy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
+            pwdpolicy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
+            pwdpolicy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
+            pwdpolicy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
+            pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
+            pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
+            pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
+            pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
+            pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
+            pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
+            pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
+            pwdpolicy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
+            pwdpolicy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
+            pwdpolicy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
+            pwdpolicy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
+            pwdpolicy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
+
             /* set the default passwordLegacyPolicy setting */
             pwdpolicy->pw_is_legacy = 1;