#48228 wrong password check if passwordInHistory is decreased.
Closed: Fixed None Opened 4 years ago by gparente.

Let's have passwordInHistory = N and a user with its N passwords in history.
We decrease passwordInHistory to a value smaller than N.

If a user changes its password to the oldest value in its history (of N values), it's forbidden but it should be allowed.


1) configure password history feature with, for instance:

passwordInHistory: 4
passwordHistory: on

2) add a new user

[root@rh6 ~]# ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:

ldapsearch -xLLL -p 2389 -h localhost -D "cn=directory manager" -w secret12 -b "uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.

ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password using the original password:

ldapmodify -p 2389 -h localhost -D "uid=user50,ou=people,o=redhat" -w user50_4
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: user50

modifying entry "uid=user50,ou=people,o=redhat"
ldap_modify: Constraint violation (19)
additional info: password in history

Additional comments:

in function update_pw_history

    if ( i >= pwpolicy->pw_inhistory ) {
            /* replace the oldest password in history */

instead of just replacing the oldest value, we could keep the N newest values (N == passwordInHistory) and replace the oldest in this group. As the same time the new passwordHistory of user entry will keep the right numbers of values.

Workaround: trim the values as cn=directory manager

Thanks to German for signing up for this ticket.

Set the milestone to

Reviewed by Mark (Thank you!!)

Pushed to master:
c1912cd..6b138a2 master -> master
commit 1a11912
commit 6b138a2

Pushed to 389-ds-base-1.3.4:
c842dbe..e62b481 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit dd85ee9
commit e62b481

Pushed to 389-ds-base-1.3.3:
67e8973..08eabd5 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 67c8164
commit 08eabd5

Pushed to 389-ds-base-1.2.11:
aa08398..fd1c326 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit fd1c326

git patch file (master) -- revised: fixing the regression in the previous patch (broken qsort)

Thank you, Rich! Nathan gave me his comments on IRC and I revised the previous patch based on his comment...

Thank you sooooo much, Rich!

Pushed to master:
b011ae3..391acfc master -> master
commit 391acfc

Pushed to 389-ds-base-1.3.4:
2231ee4..096b386 389-ds-base-1.3.4 -> 389-ds-base-1.3.4
commit 096b386

Pushed to 389-ds-base-1.3.3:
ef0a295..90cf9fd 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit 90cf9fd

Pushed to 389-ds-base-1.2.11:
992541f..1e2793d 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit 1e2793d

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone:

2 years ago

Login to comment on this ticket.