#455 Insufficient rights to unhashed#user#password when user deletes his password
Closed: wontfix None Opened 8 years ago by jrusnack.

See also related https://fedorahosted.org/389/ticket/45.

Steps to reproduce:

1) Set local password policy entry:
dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
...
passwordStorageScheme: CLEAR
passwordChange: on
...

2) Add new user to ou=People,dc=example,dc=com

ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager -a <<EOF
dn: uid=test_user1,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user1
cn: test1
sn: user1
userPassword: testpassword
EOF

3) Try to delete user`s password:

ldapmodify -h localhost -p 389 -D "uid=test_user1,ou=People,dc=example,dc=com" -w testpassword <<EOF
dn: uid=test_user0,ou=People,dc=example,dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

Deleting password with password supplied for user uid=test_user0,ou=People,dc=example,dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=People,dc=example,dc=com'.

DS version: 389-ds-base-1.2.11.13-1.el6.x86_64

This is already covered by pwdmodify/pwdmodify-qa.sh bug834047_1


Bug Description: Setting CLEAR to the passwordStrageScheme, then
deleting a userpassword with the value fails due to the lack of
right to delete the corresponding pseudo attribute.

Fix Description: Skip evaluating the aci of the pseudo attribute
in the deletion as being done in the replacement.

Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge trac455
Updating 53e16ed..d6d9d07
Fast-forward
ldap/servers/plugins/acl/acl.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 920 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
53e16ed..d6d9d07 master -> master

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.3.0.rc1

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/455

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

16 days ago

Login to comment on this ticket.

Metadata