rpms / 389-ds-base

Clone
Source Code
GIT

Blame SOURCES/0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   6f51e1d17eb4993176815fb50c6b3c147b0ef922
  2.   SOURCES
  3.   0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch
Blob History Raw
6f51e1 
From 578d207cd66e97e9ff8211559c62114a961e35a8 Mon Sep 17 00:00:00 2001
6f51e1 
From: Mark Reynolds <mreynolds@redhat.com>
6f51e1 
Date: Tue, 28 Mar 2017 14:21:47 -0400
6f51e1 
Subject: [PATCH] Issue 49039 - password min age should be ignored if password
6f51e1 
 needs to be reset
6f51e1
6f51e1 
Description:  Do not check the password minimum age when changing a password
6f51e1 
              if the password "must" be reset.
6f51e1
6f51e1 
https://pagure.io/389-ds-base/issue/49039
6f51e1
6f51e1 
Reviewed by: firstyear(Thanks!)
6f51e1 
---
6f51e1 
 dirsrvtests/tests/tickets/ticket49039_test.py | 79 +++++++++++++++++++++++++++
6f51e1 
 ldap/servers/slapd/modify.c                   |  4 +-
6f51e1 
 2 files changed, 81 insertions(+), 2 deletions(-)
6f51e1 
 create mode 100644 dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1
6f51e1 
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1 
new file mode 100644
6f51e1 
index 0000000..e6d4c03
6f51e1 
--- /dev/null
6f51e1 
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1 
@@ -0,0 +1,79 @@
6f51e1 
+import time
6f51e1 
+import ldap
6f51e1 
+import logging
6f51e1 
+import pytest
6f51e1 
+from lib389 import Entry
6f51e1 
+from lib389._constants import *
6f51e1 
+from lib389.properties import *
6f51e1 
+from lib389.tasks import *
6f51e1 
+from lib389.utils import *
6f51e1 
+from lib389.topologies import topology_st as topo
6f51e1 
+
6f51e1 
+DEBUGGING = os.getenv("DEBUGGING", default=False)
6f51e1 
+if DEBUGGING:
6f51e1 
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
6f51e1 
+else:
6f51e1 
+    logging.getLogger(__name__).setLevel(logging.INFO)
6f51e1 
+log = logging.getLogger(__name__)
6f51e1 
+
6f51e1 
+USER_DN = 'uid=user,dc=example,dc=com'
6f51e1 
+
6f51e1 
+
6f51e1 
+def test_ticket49039(topo):
6f51e1 
+    """Test "password must change" verses "password min age".  Min age should not
6f51e1 
+    block password update if the password was reset.
6f51e1 
+    """
6f51e1 
+
6f51e1 
+    # Configure password policy
6f51e1 
+    try:
6f51e1 
+        topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
6f51e1 
+                                               (ldap.MOD_REPLACE, 'passwordMustChange', 'on'),
6f51e1 
+                                               (ldap.MOD_REPLACE, 'passwordExp', 'on'),
6f51e1 
+                                               (ldap.MOD_REPLACE, 'passwordMaxAge', '86400000'),
6f51e1 
+                                               (ldap.MOD_REPLACE, 'passwordMinAge', '8640000'),
6f51e1 
+                                               (ldap.MOD_REPLACE, 'passwordChange', 'on')])
6f51e1 
+    except ldap.LDAPError as e:
6f51e1 
+        log.fatal('Failed to set password policy: ' + str(e))
6f51e1 
+
6f51e1 
+    # Add user, bind, and set password
6f51e1 
+    try:
6f51e1 
+        topo.standalone.add_s(Entry((USER_DN, {
6f51e1 
+            'objectclass': 'top extensibleObject'.split(),
6f51e1 
+            'uid': 'user1',
6f51e1 
+            'userpassword': PASSWORD
6f51e1 
+        })))
6f51e1 
+    except ldap.LDAPError as e:
6f51e1 
+        log.fatal('Failed to add user: error ' + e.message['desc'])
6f51e1 
+        assert False
6f51e1 
+
6f51e1 
+    # Reset password as RootDN
6f51e1 
+    try:
6f51e1 
+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
6f51e1 
+    except ldap.LDAPError as e:
6f51e1 
+        log.fatal('Failed to bind: error ' + e.message['desc'])
6f51e1 
+        assert False
6f51e1 
+
6f51e1 
+    time.sleep(1)
6f51e1 
+
6f51e1 
+    # Reset password as user
6f51e1 
+    try:
6f51e1 
+        topo.standalone.simple_bind_s(USER_DN, PASSWORD)
6f51e1 
+    except ldap.LDAPError as e:
6f51e1 
+        log.fatal('Failed to bind: error ' + e.message['desc'])
6f51e1 
+        assert False
6f51e1 
+
6f51e1 
+    try:
6f51e1 
+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
6f51e1 
+    except ldap.LDAPError as e:
6f51e1 
+        log.fatal('Failed to change password: error ' + e.message['desc'])
6f51e1 
+        assert False
6f51e1 
+
6f51e1 
+    log.info('Test Passed')
6f51e1 
+
6f51e1 
+
6f51e1 
+if __name__ == '__main__':
6f51e1 
+    # Run isolated
6f51e1 
+    # -s for DEBUG mode
6f51e1 
+    CURRENT_FILE = os.path.realpath(__file__)
6f51e1 
+    pytest.main("-s %s" % CURRENT_FILE)
6f51e1 
+
6f51e1 
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
6f51e1 
index 4bef90a..32defae 100644
6f51e1 
--- a/ldap/servers/slapd/modify.c
6f51e1 
+++ b/ldap/servers/slapd/modify.c
6f51e1 
@@ -1326,8 +1326,8 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
6f51e1
6f51e1 
 	/* check if password is within password minimum age;
6f51e1 
 	   error result is sent directly from check_pw_minage */
6f51e1 
-	if ((internal_op || !pb->pb_conn->c_needpw) &&
6f51e1 
-         check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
6f51e1 
+	if (!pb->pb_conn->c_needpw &&
6f51e1 
+	    check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
6f51e1 
 	{
6f51e1 
 		if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
6f51e1 
 		{
6f51e1 
--
6f51e1 
2.9.3
6f51e1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation