Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1582092
Description of problem: passwordMustChange attribute is not honored by a RO consumer if "Chain on Update" is implemented on the RO consumer A read-write master, a dedicated read-only consumer with "Chain on Update", plus a a dedicated read-only consumer with NO "Chain on Update". All three instances have the same global password policy: passwordCheckSyntax: on passwordExp: on passwordHistory: on passwordInHistory: 8 passwordIsGlobalPolicy: on passwordLegacyPolicy: off passwordLockout: on passwordLockoutDuration: 900 passwordMaxAge: 7776000 passwordMaxFailure: 5 passwordMaxRepeats: 5 passwordMinAge: 60 passwordMinAlphas: 1 passwordMinCategories: 3 passwordMinDigits: 1 passwordMinLength: 12 passwordMinLowers: 1 passwordMinSpecials: 1 passwordMinTokenLength: 3 passwordMinUppers: 1 passwordResetFailureCount: 600 passwordStorageScheme: SSHA512 passwordTrackUpdateTime: on passwordUnlock: on nsslapd-pwpolicy-local: on passwordWarning: 1209600 passwordMustChange: on 1. Reset the user's password as the "cn=Directory manager" on the read-write master: # ldapmodify -h localhost -p 4389 -D "cn=directory manager" -w password dn: uid=asmith,ou=people,dc=mytestrealm,dc=com changetype: modify replace: userpassword userpassword: password modifying entry "uid=asmith,ou=people,dc=mytestrealm,dc=com" ^C 2. ldapsearch against the read-write master as the user himself: # ldapsearch -h localhost -p 4389 -D "uid=asmith,ou=people,dc=mytestrealm,dc=com" -w password -b "uid=asmith,ou=people,dc=mytestrealm,dc=com" result: 53 Server is unwilling to perform control: 2.16.840.1.113730.3.4.4 false MA== 3. ldapsearch against the RO consumer with "chain on update" as the user himself: # ldapsearch -h localhost -p 5389 -D "uid=asmith,ou=people,dc=mytestrealm,dc=com" -w password -b "uid=asmith,ou=people,dc=mytestrealm,dc=com" dn: uid=ASmith,ou=People,dc=mytestrealm,dc=com uid: ASmith givenName: Alan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Smith cn: Alan Smith 4. ldapsearch against the RO consumer with NO "chain on update" as the user himself: # ldapsearch -h localhost -p 6389 -D "uid=asmith,ou=people,dc=mytestrealm,dc=com" -w password -b "uid=asmith,ou=people,dc=mytestrealm,dc=com" result: 53 Server is unwilling to perform control: 2.16.840.1.113730.3.4.4 false MA==
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1582092
Metadata Update from @mreynolds: - Issue assigned to mreynolds
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 1.3.7.0 (was: 0.0 NEEDS_TRIAGE)
https://pagure.io/389-ds-base/pull-request/49755
commit d2c26d8
566ce1b..b458cd5 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ace4432..520bf28 389-ds-base-1.3.7 -> 389-ds-base-1.3.7
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2810
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.