Wrong number passwords in passwordHistory

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49034

• Created at 2016-11-04 23:38:38 by nhosoi (@nhosoi)
• Closed at 2017-03-06 17:59:41 as invalid
• Assigned to mreynolds (@mreynolds389)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1342585

---

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1342585

Description of problem:
If we decrease passwordInHistory attribute (for instance, from 4 to 3) while
user entry already has some passwordHistory values (four), we will still have
four values even after changing password one more time.

It applied for Directory Manager only. So he can break passwordInHistory rule,
he even can change password to value that is not in passwordHistory.


Build tested:
389-ds-base-1.3.5.4-1.el7.x86_64


How reproducible:
Always


Steps to Reproduce:
1) configure password history feature with, for instance:
passwordInHistory: 4
passwordHistory: on

2) add a new user
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b
"uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password one more time to value that is not in passwordHistory:
ldapmodify -p 389 -h localhost -D "cn=directory manager" -w Secret123
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: anotherpass

7) verify passwordHistory has the three values

Actual results:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b
"uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075352Zuser50_4
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2

Expected results:
ldapsearch -xLLL -p 389 -h localhost -D "cn=directory manager" -w Secret123 -b
"uid=user50,ou=people,o=redhat" passwordHistory
dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075352Zuser50_4
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1

Additional info:
Also, on the step 6, Directory Manager can change password that is in
passwordHistory.

But changing passwords while binding as regular user works as expected.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2017-02-11 22:48:32

Metadata Update from @nhosoi:

• Issue set to the milestone: 1.3.6.0

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-03-01 18:09:26

Metadata Update from @mreynolds389:

• Issue assigned to mreynolds389

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-03-06 17:59:38

This is the expected behaviour. Directory manager, or a password admin, can violate all password policies.

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2017-03-06 17:59:47

Metadata Update from @mreynolds389:

• Issue close_status updated to: invalid
• Issue status updated to: Closed (was: Open)