root DN, aka "cn=directory manager", should not be restricted by password policy. During ADD operations the root DN is incorrectly restricted by password policy. Updating an existing entry, doing a MOD, works as expected.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1145378
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1145379
attachment 0001-Ticket-47900-Adding-an-entry-with-an-invalid-passwor.patch
83a6ceb..50820f8 master -> master commit 50820f8 Author: Mark Reynolds mreynolds@redhat.com Date: Tue Sep 30 10:07:33 2014 -0400
4e34740..ab36560 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit ab36560
8c955b1..99b24d4 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit 99b24d4
0b5f0d6..7b7d092 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 7b7d0929f2129801edb55b8c480f0b8ea8e4a2dc
dd62c75..950390b 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit 950390b
The previous patch causes startup issues if a password admin is set...
When we setup backends at server startup we perform add operations, this patch attempts to search backends , while setting up a password policy, before they are actually setup/initialized.
attachment 0001-Ticket-47900-Server-fails-to-start-if-password-admin.patch
To ssh://git.fedorahosted.org/git/389/ds.git afc8b06..4711de6 master -> master
commit 4711de6 Author: Mark Reynolds mreynolds@redhat.com Date: Thu Oct 2 10:17:13 2014 -0400
5353f9f..1bf510c 389-ds-base-1.3.3 -> 389-ds-base-1.3.3 commit 1bf510c
6ca4422..f9eed02 389-ds-base-1.3.2 -> 389-ds-base-1.3.2 commit f9eed02
154abc9..46051b4 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 46051b42d3917ff0c899b8480b5374429441f89e
950390b..ed6f09b 389-ds-base-1.2.11 -> 389-ds-base-1.2.11 commit ed6f09b
this commit breaks 1.2.11, pwdpolicy is not in the pblock. ticket 147 was not backported
I think ticket
https://fedorahosted.org/389/ticket/458
should be also backported:
We use global_slapdFrontendConfig.pw_policy.pw_admin ldap/servers/slapd/libglobs.c
and this field has been introduced in ticket 458.
Replying to [comment:13 gparente]:
I think ticket https://fedorahosted.org/389/ticket/458 should be also backported: We use global_slapdFrontendConfig.pw_policy.pw_admin ldap/servers/slapd/libglobs.c and this field has been introduced in ticket 458.
Ticket 458 was backported to 1.2.11 seven months ago.
But Ludwig is right, ticket 147 was not backported, this is bad. So the fix for 458 has been broken for a long time. Not sure why this never showed up as a compilation error.
Hi Mark,
you are right. Ticket 458 is already backported adding the fields.
Applying the 147 diffs, I have made these new fields disappear again as before ticket 458.
This is an existing problem on all branches cased by the latest patch. I have a new fix that will be going out for review shortly...
Sorry the last patch was for the wrong version of 389. Reworking patch...
Fix backport issue 0001-Ticket-47900-Fix-backport-issue-to-1.2.11.patch
ed6f09b..8512405 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 8512405 Author: Mark Reynolds mreynolds@redhat.com Date: Tue Oct 7 14:24:17 2014 -0400
Metadata Update from @gparente: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.33
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1231
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.