Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1563999
Description of problem: Customer would like the current password ONLY to be rejected when updating a user's password as himself/herself. We currently have an attribute called passwordInHistory, which can only take values of 1 to 24, By specifying "passwordInHistory: 1", it not only rejects the current password but also "current password - 1"! Please see my test below: 1. Create a test user called arichardson 2. Create a user level password policy: dn: cn=cn\3DnsPwPolicyEntry\2Cuid\3Darichardson\2Cou\3DPeople\2Cdc\3Dmytestrea lm\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=mytestrealm,dc=com objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,uid=arichardson,ou=People,dc=mytestrealm,dc=com passwordMustChange: off passwordExp: off passwordMinAge: 0 passwordChange: on passwordInHistory: 1 <<<<<<<<<<<<<<<<<<< passwordStorageScheme: ssha512 3. Bind as the user using his current password "password" # ldapsearch -h localhost -p 2389 -D "uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password -b "uid=arichardson,ou=People,dc=mytestrealm,dc=com" # extended LDIF # # LDAPv3 # base <uid=arichardson,ou=People,dc=mytestrealm,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # arichardson, People, mytestrealm.com dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com uid: arichardson givenName: Alan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Richardson cn: Alan Richardson 4. Attempt to change the user arichardson's password using the current password: # ldapmodify -h localhost -p 2389 -D "uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com changetype: modify replace: userpassword userpassword: password modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com " ldap_modify: Constraint violation (19) additional info: password in history 5. Replace the user arichardson's password with "Canget1n": # ldapmodify -h localhost -p 2389 -D "uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com changetype: modify replace: userpassword userpassword: Canget1n modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com " 6. Now attempted to change user arichardson's password with the current passwod -1 , i.e. "password": # ldapmodify -h localhost -p 2389 -D "uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w Canget1n dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com changetype: modify replace: userpassword userpassword: password modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com " ldap_modify: Constraint violation (19) additional info: password in history 7. Now attempted to change user arichardson's password with the current password "Canget1n": # ldapmodify -h localhost -p 2389 -D "uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w Canget1n dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com changetype: modify replace: userpassword userpassword: Canget1n modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com " ldap_modify: Constraint violation (19) additional info: password in history As you can see from the above that both "password" (current password - 1) and "Canget1n" (current) are rejected. The customer only wants the current password, i.e. Canget1n, in the above example to be rejected. If I dump out passwordHistory of the user: dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com passwordHistory: 20180329113642Z{SSHA512}lCNNXqM9CzmtsUyXxdLomk2 r1NJlwD10dHaYzd1nLqwuvmX7MsMaEqCtdjSyNHdoJOXMV0bdzkLZG7oKYprsnWwkbvPEVw9e It seems that even with "passwordInHistory: 1",the passwordhistory attribute seems to remember the password right before the current password and the current password!
Metadata Update from @mreynolds: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1563999
Metadata Update from @mreynolds: - Issue assigned to mreynolds
https://pagure.io/389-ds-base/pull-request/50156
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
6f87fab..ba02f5a 389-ds-base-1.4.0 -> 389-ds-base-1.4.0
4c71cc2..4554617 389-ds-base-1.3.9 -> 389-ds-base-1.3.9
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3214
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.