#49047 password subtree policy issue (ns-newpwpolicy.pl)
Closed: wontfix 4 years ago by mreynolds. Opened 7 years ago by albertocrj.

I'm trying to disable the password expiration for a certain subtree, but after I created that subtree policy, 389 started to store userpassword as plaintext for this subtree.

Steps to reproduce:
1. Enable global policy with password expiration
2. Create a subtree policy using ns-newpwpolicy.pl (without password expiration)
3. Change user password
4. After that, 389 start to storage userpassword as plaintext on this subtree

If I use 389 console to create the subtree policy, everything works fine.

Analysing the nsPwPolicyContainer and nsPwTemplateEntry could not find any difference

ldapsearch -b 'cn="cn=nsPwTemplateEntry,OU=APLICACOES,dc=my,dc=domain",cn=nsPwPolicyContainer,OU=APLICACOES,dc=my,dc=domain' -D "cn=Directory Manager" -x -W '(objectclass=ldapsubentry)'

extended LDIF


base <cn="cn=nsPwTemplateEntry,OU=APLICACOES,dc=my,dc=domain",cn=nsPwPolicyContainer,OU=APLICACOES,dc=my,dc=domain> with scope subtree

filter: (objectclass=ldapsubentry)

requesting: ALL

cn\3DnsPwTemplateEntry\2COU\3DAPLICACOES\2Cdc\3Dmy\2Cdc\3Ddomain, nsPwPol

icyContainer, APLICACOES, my.domain
dn: cn=cn\3DnsPwTemplateEntry\2COU\3DAPLICACOES\2Cdc\3Dmy\2Cdc\3Ddomain,cn=n
objectClass: extensibleObject
objectClass: costemplate
objectClass: ldapsubentry
objectClass: top
cosPriority: 1
cn: cn=nsPwTemplateEntry,OU=APLICACOES,dc=my,dc=domain

search result

search: 2
result: 0 Success

Metadata Update from @nhosoi:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata Update from @mreynolds:
- Issue close_status updated to: None
- Issue tagged with: Investigate

7 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

7 years ago

Using ns-newpwpolicy.pl does not set the storage scheme. So using CLEAR is the default behaviour. However the console incorrectly shows that a password storage scheme is set for the subtree policy, but in fact it is not. So this is a console bug.

For now you just need to set passwordStorageScheme in the subtree policy and everything will work as expected.

Adjusting milestone to admin server...

Metadata Update from @mreynolds:
- Issue set to the milestone: 389-admin,console 1.1.44 (was: 0.0 NEEDS_TRIAGE)

7 years ago

This is no longer an issue in the new Cockpit UI available in 389-ds-base-1.4.x. Since 389-admin server/console has been deprecated I'm am closing this ticket.

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2106

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Log in to comment on this ticket.