For all parameters in pwpolicy plugin, the attribute can be removed by setting it to an empty string (""), but this does not work for "--minlength"
[root@fed35 ~]# ipa pwpolicy-mod --minlength 8 --maxfail 3 Group: global_policy Min length: 8 Max failures: 3 [root@fed35 ~]# ipa pwpolicy-mod --maxfail "" Group: global_policy Min length: 8 [root@fed35 ~]# ipa pwpolicy-mod --minlength "" ipa: ERROR: an internal error has occurred [root@fed35 ~]# ipa pwpolicy-show Group: global_policy Min length: 3
When clearing "--minlength" with an empty string an internal error occurs.
The minimum length parameter should have the same behavior as the other integer parameters, or, at least, a proper message is displayed.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.9.11-1.fc35.x86_64 freeipa-client-4.9.11-1.fc35.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.0.17-1.fc35.x86_64 package pki-ca is not installed krb5-server-1.19.2-9.fc35.x86_64
The minlength parameter is mapped to the LDAP attribute krbpwdminlength:
$ ipa show-mappings pwpolicy-mod Parameter : LDAP attribute ========= : ============== maxlife : krbmaxpwdlife? minlife : krbminpwdlife? history : krbpwdhistorylength? minclasses : krbpwdmindiffchars? minlength : krbpwdminlength? priority : cospriority? maxfail : krbpwdmaxfailure? failinterval : krbpwdfailurecountinterval? lockouttime : krbpwdlockoutduration? maxrepeat : ipapwdmaxrepeat? maxsequence : ipapwdmaxsequence? dictcheck : ipapwddictcheck? usercheck : ipapwdusercheck? rights : rights
and is not required (the ? after krbpwdminlength means the attr is single-valued and not required).
This means the CLI should allow to clear the attribute by setting an empty value. This is a valid issue.
The issue is us unconditionally converting the value to an int:
ipa: ERROR: non-public: TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 407, in wsgi_execute result = command(*args, **options) File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, **options) File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 816, in run return self.execute(*args, **options) File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 587, in execute return super(pwpolicy_mod, self).execute(cn, **options) File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1523, in execute entry_attrs.dn = callback( File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 598, in pre_callback self.obj.validate_minlength(ldap, entry_attrs, False, *keys) File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 473, in validate_minlength min_length = int(get_val(existing_entry, 'krbpwdminlength')) TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType' ipa: INFO: [jsonserver_session] admin@EXAMPLE.TEST: pwpolicy_mod/1('test', krbpwdminlength=None, version='2.251'): InternalError ipa: DEBUG: [jsonserver_session] admin@EXAMPLE.TEST: pwpolicy_mod/1('test', krbpwdminlength=None, version='2.251'): InternalError etime=6037530
In validate_minlength():
min_length = int(get_val(existing_entry, 'krbpwdminlength'))
We probably need an existence check prior to converting to an int. This happens in at least two places.
master:
ipa-4-11:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-10:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-15444
Log in to comment on this ticket.