Cloned from https://issues.redhat.com/browse/RHEL-4958
IdM does not check Minimum life of password when performing password changing, if a very high minlife value is set.
$ ipa pwpolicy-show --user=bob Group: non_expired_passwd_group Min lifetime (hours): 99999 Grace login limit: -1 [bob@node-0 ~]$ passwd Changing password for user bob. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error
Change lifetime to 10x larger to previous run:
[bob@node-0 ~]$ ipa pwpolicy-show --user=bob Group: non_expired_passwd_group Min lifetime (hours): 999999 Grace login limit: -1 [bob@node-0 ~]$ passwd Changing password for user bob. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully.
How reproducible: 100%
Actual results: Password changing is allowed even if age of password is within minlife.
Expected results: 1. IdM checks acceptable range of integer when adding/modifying a password policy, and rejects ridiculously high values, or 2. IdM enforces password policy for whatever minlife value saved in policy.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-4958
master:
ipa-4-13:
ipa-4-12:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.