When using a global password policy for syntax checking, there are some default
settings that will be used (such as a minimum length of 8) if the config
attributes don't exist in cn=config. This doesn't seem to work with the
Here are some steps to reproduce the problem:
1. - Enable global syntax checking, setting the minLength to 6.
2. - Enable fine-grained password policies.
3. - Create a subtree-level policy on "ou=People", enabling syntax checking
with the default values (minLength will be displayed as 8 in Console).
4. - Attempt to change a password of a user outside of "ou=People" with a
password of 5 characters long. This should be rejected with an err=19.
5. - Try step 4 again, but with a password length of 6 characters. This
6. - Try step 4 again, but with a user inside of "ou=People". This should
fail with an err=19, but it will succeed!
To work around the problem, you can add the password syntax attributes to the
fine-grained policy entry explicitly. This can be done via the Console UI by
setting each of the syntax settings to a non-default value, saving it, then
setting them to what you want (even if you want the defaults) and saving again.
batch update moving tickets to future
set default ticket origin to Community
Added initial screened field value.
git patch file (master)
git patch file (master) -- CI test
Built and tested, looks good to me.
Reviewed by William (Thank you!!)
Pushed to master:
f132cf4. f5b9053 master -> master
Replying to [comment:10 spichugi]:
Looks good, ack
Pushed to master:
a2d97e0. 73d74f5 master -> master
Author: Simon Pichugin email@example.com
Date: Wed Aug 31 17:02:40 2016 +0200
Metadata Update from @spichugi:
- Issue assigned to nhosoi
- Issue set to the milestone: 126.96.36.199
to comment on this ticket.
Security - Password Policy
Copyright © 2014-2017 Red Hat
3.6 — Documentation