389-ds-base

Clone
Source Code
GIT

#50006 Subtree Password Policy not stopping user password changes
Closed: wontfix 4 years ago by mreynolds. Opened 5 years ago by nwharrison.

Closed: wontfix
Reopen Issue

Issue Description

I have a password policy on the OU that contains all of my user accounts. This password policy is set on the subtree and the “user may change password” option is deselected. However, I’m still able to change my password if I use passwd on a LDAP client.

Package Version and Platform

The version of 389-ds-base is 1.3.7.5-24.

Steps to reproduce

  1. Password policy is set on the subtree ou=People,dc=example,dc=org and the “user may change password” option is deselected.
  2. LDAP client user executes "passwd" command and can successfully change his password

Actual results

The below snippet appears to be the full sequence from the access log on my LDAP server. I have a Linux client using SSSD to bind to the directory (account: mybindacct). I SSH into my client as johndoe and change my password with the usual passwd command.

[15/Oct/2018:09:26:11.609685215 -0400] conn=206895 TLS1.2 256-bit AES-GCM
[15/Oct/2018:09:26:11.612881217 -0400] conn=206895 op=0 SRCH base="" scope=0 filter="(objectClass=)" attrs=" altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[15/Oct/2018:09:26:11.613707013 -0400] conn=206895 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0011199684
[15/Oct/2018:09:26:11.615468995 -0400] conn=206895 op=1 BIND dn="uid=mybindacct,ou=Special Users,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.615687824 -0400] conn=206895 op=1 RESULT err=0 tag=97 nentries=0 etime=0.0000260954 dn="uid=mybindacct,ou=special users,dc=example,dc=org"
[15/Oct/2018:09:26:11.616003685 -0400] conn=206895 op=2 BIND dn="uid=johndoe,ou=Test,ou=People,dc=example,dc=org" method=128 version=3
[15/Oct/2018:09:26:11.616327955 -0400] conn=206895 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0000365138 dn="uid=johndoe,ou=test,ou=people,dc=example,dc=org"
[15/Oct/2018:09:26:11.624910413 -0400] conn=206895 op=3 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_plugin"
[15/Oct/2018:09:26:11.627984160 -0400] conn=206895 op=3 RESULT err=0 tag=120 nentries=0 etime=0.0003117005
[15/Oct/2018:09:26:11.630152739 -0400] conn=206895 op=4 UNBIND

Expected results

I am told the expected behavior is that it should be changing it as "uid=johndoe,ou=test,ou=people,dc=example,dc=org", but the password policy appears to be getting bypassed and the bind account is what is getting used to change the password.

Current password policy test all pass, including this one, with the latest version of the server (1.3.x and 1.4.x). Closing as works for me. If you have problems on the latest version please reopen this ticket.

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3065

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: worksforme)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.