#48228 wrong password check if passwordInHistory is decreased.
Closed: wontfix None Opened 6 years ago by gparente.

Let's have passwordInHistory = N and a user with its N passwords in history.
We decrease passwordInHistory to a value smaller than N.

If a user changes its password to the oldest value in its history (of N values), it's forbidden but it should be allowed.


1) configure password history feature with, for instance:

passwordInHistory: 4
passwordHistory: on

2) add a new user

[root@rh6 ~]# ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:

ldapsearch -xLLL -p 2389 -h localhost -D "cn=directory manager" -w secret12 -b "uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.

ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password using the original password:

ldapmodify -p 2389 -h localhost -D "uid=user50,ou=people,o=redhat" -w user50_4
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: user50

modifying entry "uid=user50,ou=people,o=redhat"
ldap_modify: Constraint violation (19)
additional info: password in history

Additional comments:

in function update_pw_history

    if ( i >= pwpolicy->pw_inhistory ) {
            /* replace the oldest password in history */

instead of just replacing the oldest value, we could keep the N newest values (N == passwordInHistory) and replace the oldest in this group. As the same time the new passwordHistory of user entry will keep the right numbers of values.

Workaround: trim the values as cn=directory manager

Thanks to German for signing up for this ticket.

Set the milestone to

Reviewed by Mark (Thank you!!)

Pushed to master:
c1912cd..6b138a2 master -> master
commit 1a11912
commit 6b138a2

Pushed to 389-ds-base-1.3.4:
c842dbe..e62b481 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit dd85ee9
commit e62b481

Pushed to 389-ds-base-1.3.3:
67e8973..08eabd5 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 67c8164
commit 08eabd5

Pushed to 389-ds-base-1.2.11:
aa08398..fd1c326 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit fd1c326

git patch file (master) -- revised: fixing the regression in the previous patch (broken qsort)

Thank you, Rich! Nathan gave me his comments on IRC and I revised the previous patch based on his comment...

Thank you sooooo much, Rich!

Pushed to master:
b011ae3..391acfc master -> master
commit 391acfc

Pushed to 389-ds-base-1.3.4:
2231ee4..096b386 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 096b386

Pushed to 389-ds-base-1.3.3:
ef0a295..90cf9fd 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 90cf9fd

Pushed to 389-ds-base-1.2.11:
992541f..1e2793d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 1e2793d

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone:

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1559

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

2 years ago

Login to comment on this ticket.