#142 [RFE] Default password syntax settings don't work with fine-grained policies

Created 5 years ago by mkosek
Modified 15 days ago


When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config.  This doesn't seem to work with the
fine-grained policies.

Here are some steps to reproduce the problem:

 1. - Enable global syntax checking, setting the minLength to 6.
 2. - Enable fine-grained password policies.
 3. - Create a subtree-level policy on "ou=People", enabling syntax checking
      with the default values (minLength will be displayed as 8 in Console).
 4. - Attempt to change a password of a user outside of "ou=People" with a
      password of 5 characters long.  This should be rejected with an err=19.
 5. - Try step 4 again, but with a password length of 6 characters.  This
      should work.
 6. - Try step 4 again, but with a user inside of "ou=People".  This should
      fail with an err=19, but it will succeed!

To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly.  This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.

batch update moving tickets to future

set default ticket origin to Community

Added initial screened field value.

Built and tested, looks good to me.

Reviewed by William (Thank you!!)

Pushed to master:
f132cf4. f5b9053 master -> master
commit af1fc5e
commit 1c3fa84

Replying to [comment:10 spichugi]:

Looks good, ack

To ssh://git.fedorahosted.org/git/389/ds.git

Pushed to master:
a2d97e0. 73d74f5 master -> master
commit 73d74f5
Author: Simon Pichugin spichugi@redhat.com
Date: Wed Aug 31 17:02:40 2016 +0200

15 days ago

Metadata Update from @spichugi:
- Issue assigned to nhosoi
- Issue set to the milestone:

Login to comment on this ticket.



Security - Password Policy