https://bugzilla.redhat.com/show_bug.cgi?id=744074
Description of problem: User with admin rights can delete global password policy from webui. Version-Release number of selected component (if applicable): 2.1.1 (Sept 21 build day) How reproducible: always Steps to Reproduce: 1. install ipa server 2. kinit as "admin" and bring up firefox, go to https://<ipaserver> 3. go to: "Policy" tab -> Password Policy sub menu -> select "Global Password" -> click "delete" to delete it Actual results: global password policy being deleted Expected results: global password can not be deleted even by admin Additional info: 1. after global password policy being deleted, there is no way to add such policy since current WebUI does not offer "global" as a choice in "Add Password Policy" dialog 2. after the global password policy being deleted, cli: "ipa pwpolicy-show" will report error: password policy not found 3. after the global password policy being deleted, newly created user can not get kerberos ticket with initial password. IPA reports: user not found. 4. I didn't try this in latest build, I will post my test result once I updated my testing environment.
I wonder what happens in CLI. It should be caught on the server and last policy should not be removed.
master: c0879cd[[BR]] ipa-2-1: 1e56498
Metadata Update from @dpal: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 2.1.3 (bug fixing)
Login to comment on this ticket.