#9297 Minimum length parameter in pwpolicy cannot be removed with empty string.
Closed: fixed a year ago by frenaud. Opened 2 years ago by rjeffman.

For all parameters in pwpolicy plugin, the attribute can be removed by setting it to an empty string (""), but this does not work for "--minlength"

Steps to Reproduce

[root@fed35 ~]# ipa pwpolicy-mod --minlength 8 --maxfail 3
  Group: global_policy
  Min length: 8
  Max failures: 3
[root@fed35 ~]# ipa pwpolicy-mod --maxfail ""
  Group: global_policy
  Min length: 8
[root@fed35 ~]# ipa pwpolicy-mod --minlength ""
ipa: ERROR: an internal error has occurred
[root@fed35 ~]# ipa pwpolicy-show
  Group: global_policy
  Min length: 3

Actual behavior

When clearing "--minlength" with an empty string an internal error occurs.

Expected behavior

The minimum length parameter should have the same behavior as the other integer parameters, or, at least, a proper message is displayed.

Version/Release/Distribution

 $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.11-1.fc35.x86_64
freeipa-client-4.9.11-1.fc35.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.0.17-1.fc35.x86_64
package pki-ca is not installed
krb5-server-1.19.2-9.fc35.x86_64

The minlength parameter is mapped to the LDAP attribute krbpwdminlength:

$ ipa show-mappings pwpolicy-mod
Parameter    : LDAP attribute
=========    : ==============
maxlife      : krbmaxpwdlife?
minlife      : krbminpwdlife?
history      : krbpwdhistorylength?
minclasses   : krbpwdmindiffchars?
minlength    : krbpwdminlength?
priority     : cospriority?
maxfail      : krbpwdmaxfailure?
failinterval : krbpwdfailurecountinterval?
lockouttime  : krbpwdlockoutduration?
maxrepeat    : ipapwdmaxrepeat?
maxsequence  : ipapwdmaxsequence?
dictcheck    : ipapwddictcheck?
usercheck    : ipapwdusercheck?
rights       : rights

and is not required (the ? after krbpwdminlength means the attr is single-valued and not required).

This means the CLI should allow to clear the attribute by setting an empty value. This is a valid issue.

The issue is us unconditionally converting the value to an int:

ipa: ERROR: non-public: TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType'
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/ipaserver/rpcserver.py", line 407, in wsgi_execute
    result = command(*args, **options)
  File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 816, in run
    return self.execute(*args, **options)
  File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 587, in execute
    return super(pwpolicy_mod, self).execute(cn, **options)
  File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1523, in execute
    entry_attrs.dn = callback(
  File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 598, in pre_callback
    self.obj.validate_minlength(ldap, entry_attrs, False, *keys)
  File "/usr/lib/python3.10/site-packages/ipaserver/plugins/pwpolicy.py", line 473, in validate_minlength
    min_length = int(get_val(existing_entry, 'krbpwdminlength'))
TypeError: int() argument must be a string, a bytes-like object or a real number, not 'NoneType'
ipa: INFO: [jsonserver_session] admin@EXAMPLE.TEST: pwpolicy_mod/1('test', krbpwdminlength=None, version='2.251'): InternalError
ipa: DEBUG: [jsonserver_session] admin@EXAMPLE.TEST: pwpolicy_mod/1('test', krbpwdminlength=None, version='2.251'): InternalError etime=6037530

In validate_minlength():

       min_length = int(get_val(existing_entry, 'krbpwdminlength'))

We probably need an existence check prior to converting to an int. This happens in at least two places.

master:

  • 6245457 Allow password policy minlength to be removed like other values

ipa-4-11:

  • 9b0b723 Allow password policy minlength to be removed like other values

ipa-4-9:

  • d034861 Allow password policy minlength to be removed like other values

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

ipa-4-10:

  • f4d57f9 Allow password policy minlength to be removed like other values

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-15444

a year ago

Log in to comment on this ticket.

Metadata