389-ds-base

Clone
Source Code
GIT

#50155 Is it possible for Directory server to reject the current password only?
Closed: wontfix 5 years ago by mreynolds. Opened 5 years ago by mreynolds.

Closed: wontfix
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1563999

Description of problem:
Customer would like the current password ONLY to be rejected when updating a
user's password as himself/herself.

We currently have an attribute called passwordInHistory, which can only take
values of 1 to 24, By specifying "passwordInHistory: 1", it not only rejects
the current password but also "current password - 1"! Please see my test below:


1. Create a test user called arichardson

2. Create a user level password policy:
dn: cn=cn\3DnsPwPolicyEntry\2Cuid\3Darichardson\2Cou\3DPeople\2Cdc\3Dmytestrea
 lm\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=mytestrealm,dc=com
objectClass: ldapsubentry
objectClass: passwordpolicy
objectClass: top
cn: cn=nsPwPolicyEntry,uid=arichardson,ou=People,dc=mytestrealm,dc=com
passwordMustChange: off
passwordExp: off
passwordMinAge: 0
passwordChange: on
passwordInHistory: 1  <<<<<<<<<<<<<<<<<<<
passwordStorageScheme: ssha512



3. Bind as the user using his current password "password"
# ldapsearch -h localhost -p 2389 -D
"uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password -b
"uid=arichardson,ou=People,dc=mytestrealm,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=arichardson,ou=People,dc=mytestrealm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# arichardson, People, mytestrealm.com
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
uid: arichardson
givenName: Alan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Richardson
cn: Alan Richardson



4. Attempt to change the user arichardson's password using the current
password:
# ldapmodify -h localhost -p 2389 -D
"uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
changetype: modify
replace: userpassword
userpassword: password

modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com "
ldap_modify: Constraint violation (19)
        additional info: password in history



5. Replace the user arichardson's password with "Canget1n":
# ldapmodify -h localhost -p 2389 -D
"uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w password
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
changetype: modify
replace: userpassword
userpassword: Canget1n

modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com "


6. Now attempted to change  user arichardson's password with the current
passwod -1 , i.e. "password":
# ldapmodify -h localhost -p 2389 -D
"uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w Canget1n
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
changetype: modify
replace: userpassword
userpassword: password

modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com "
ldap_modify: Constraint violation (19)
        additional info: password in history


7. Now attempted to change  user arichardson's password with the current
password "Canget1n":
# ldapmodify -h localhost -p 2389 -D
"uid=arichardson,ou=People,dc=mytestrealm,dc=com" -w Canget1n
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
changetype: modify
replace: userpassword
userpassword: Canget1n

modifying entry "uid=arichardson,ou=People,dc=mytestrealm,dc=com "
ldap_modify: Constraint violation (19)
        additional info: password in history


As you  can see from the above that both "password" (current password - 1) and
"Canget1n" (current) are rejected. The customer only wants the current
password, i.e. Canget1n, in the above example to be rejected.

If I dump out passwordHistory of the user:
dn: uid=arichardson,ou=People,dc=mytestrealm,dc=com
passwordHistory: 20180329113642Z{SSHA512}lCNNXqM9CzmtsUyXxdLomk2
 r1NJlwD10dHaYzd1nLqwuvmX7MsMaEqCtdjSyNHdoJOXMV0bdzkLZG7oKYprsnWwkbvPEVw9e

It seems that even with  "passwordInHistory: 1",the passwordhistory attribute
seems to remember the  password right before the current password and the
current password!

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1563999
5 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
5 years ago

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
5 years ago

6f87fab..ba02f5a 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

4c71cc2..4554617 389-ds-base-1.3.9 -> 389-ds-base-1.3.9

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3214

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.