Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-129204

Local password policies can be created with unallowed values

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • rhel-10.2
    • rhel-10.1
    • 389-ds-base
    • None
    • None
    • None
    • rhel-idm-ds
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Creating local password policy succeeds with incorrect passwordInHistory value

      # rpm -q 389-ds-base
      389-ds-base-3.1.3-5.el10_1.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Create a DS instance
      2. Attempt creating a new local password policy with invalid values (applicable for both user and subtree)(created pw policies were deleted after every attempt):
        1. # dsconf localhost localpwp addsubtree ou=people,dc=example,dc=com --pwdhistory on --pwdhistorycount -1                   
          Successfully created subtree password policy                                                                  # dsconf localhost localpwp get ou=people,dc=example,dc=com                 
          Local Subtree Policy Policy for "ou=people,dc=example,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com                             
          ------------------------------------
          passwordhistory: on
          passwordinhistory: -1
        2. # dsconf localhost localpwp addsubtree ou=people,dc=example,dc=com --pwdhistory on --pwdhistorycount 30                   
          Successfully created subtree password policy                                                                  # dsconf localhost localpwp get ou=people,dc=example,dc=com                     
          Local Subtree Policy Policy for "ou=people,dc=example,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com                            
          ------------------------------------                                                                                           
          passwordhistory: on                                                                                                    
          passwordinhistory: 30
        3. # dsconf localhost localpwp addsubtree ou=people,dc=example,dc=com --pwdhistory on --pwdhistorycount a
          Successfully created subtree password policy                                                                  # dsconf localhost localpwp get ou=people,dc=example,dc=com
          Local Subtree Policy Policy for "ou=people,dc=example,dc=com": cn=cn\3DnsPwPolicyEntry_subtree\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=people,dc=example,dc=com
          ------------------------------------
          passwordhistory: on
          passwordinhistory: a

      Expected results

      All above values should be rejected as invalid (allowed value range 0-24)

      Actual results

      All above values are accepted

      Additional info

      The issue does NOT occur when modifying existing password policy using 'dsconf localpwp set' or when creating a duplicate password policy which actually modifies the existing one

              jachapma James Chapman
              lryznaro@redhat.com Lenka Doudova
              IdM DS Dev IdM DS Dev
              IdM DS QE IdM DS QE
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: