Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1434548
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: Password expiry for accounts based on Passwordmaxage fails when account policy plugin is enabled. This happens when the account policy plugin is enabled along with the password policy plugin. Version-Release number of selected component (if applicable): 389-ds-base-1.3.5.x How reproducible: Consistently with the given steps. Steps to Reproduce: 1. Install 389-ds-base latest on RHEL-7.3 2. Configure Global account policy plugin, to cn=config, with AccountInactivityLimit set to 12. 3. Configure password policy with passwordexp "on" and passwordmaxage "9" secs. 4. Server restart required for account policy plugin to work. 5. Create few users in the default suffix "dc=example,dc=com" 6. Wait for 9 secs, then run ldapseatch as user, uid=user1, expected error 49. INVALID_CREDENTIALS: {'info': 'password expired!', 'desc': 'Invalid credentials'} Result: Success 7. Wait for 4 more secs to reach AccountInactivityLimit. 8. Run ldapsearch as user, uid=user1, expected error 19. ldap.CONSTRAINT_VIOLATION or AccountInactivityLimit exceeded error. Result: Success 9. Replace the lastLoginTime attribute for uid=user1 to check if account is inactivated, but still password policy works. 10. Run ldapsearch as user1 and expect error 49. Result: Success 11. Reset the userPassword for uid=user1 to the old password, with Directory Manager user. User still cannot login since Administrator has to reset the password. 12. Then, check if account is active and the password works. User uid=user1 could successfully login to his account. Result: Success 13.Wait for 9 secs to check if the account password expires as per the Password policy settings. The passwordmaxage is set to 9 secs. 14. Run ldapsearch as uid=user1. Result: FAIL User uid=user1, could successfully login to the system. Actual results: Password policy fails to work when the password is reset for the second time. Expected results: Password policy should work irrespective of the other plugin configuration and how many ever time the password is reset. Additional info: Test case "test_glnact_pwexp" is automated in Pytest under "./suites/plugins/accpol_test.py" file.
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434548
Metadata Update from @firstyear: - Issue assigned to firstyear
This appears to just be a test case problem
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to new - Custom field type adjusted to defect
I couldn't even find the test case that was being referred to in this issue :S Where can I find it?
Given this is a test problem, can I just close this issue invalid @mreynolds ?
That's wait for QE to verify the test fix - they might find something else? If they don't, I'll close this out(and the bugzilla).
Metadata Update from @mreynolds: - Custom field reviewstatus reset (from new) - Issue set to the milestone: 1.3.7.0 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @firstyear: - Assignee reset
Metadata Update from @mreynolds: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2241
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: worksforme)
Login to comment on this ticket.