Insufficient rights to unhashed#user#password when user deletes his password

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/455

• Created at 2012-09-11 15:49:54 by jrusnack
• Closed as Fixed
• Assigned to nhosoi (@nhosoi)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=918701

---

See also related https://fedorahosted.org/389/ticket/45.

Steps to reproduce:

1. Set local password policy entry:
   dn: cn="cn=nsPwPolicyEntry,ou=People,dc=example,dc=com",
   cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
   ...
   passwordStorageScheme: CLEAR
   passwordChange: on
   ...

2. Add new user to ou=People,dc=example,dc=com

ldapmodify -h localhost -p 389 -D "cn=directory manager" -w dirmanager -a <<EOF
dn: uid=test_user1,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
uid: test_user1
cn: test1
sn: user1
userPassword: testpassword
EOF

3. Try to delete user`s password:

ldapmodify -h localhost -p 389 -D "uid=test_user1,ou=People,dc=example,dc=com" -w testpassword <<EOF
dn: uid=test_user0,ou=People,dc=example,dc=com
changetype: modify
delete: userPassword
userPassword: testpassword

Deleting password with password supplied for user uid=test_user0,ou=People,dc=example,dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'unhashed#user#password' attribute of entry 'uid=test_user0,ou=People,dc=example,dc=com'.

DS version: 389-ds-base-1.2.11.13-1.el6.x86_64

This is already covered by pwdmodify/pwdmodify-qa.sh bug834047_1

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-10-09 05:57:53

git patch file (master)
0001-Trac-Ticket-455-Insufficient-rights-to-unhashed-user.patch

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-10-09 05:58:43

Bug Description: Setting CLEAR to the passwordStrageScheme, then
deleting a userpassword with the value fails due to the lack of
right to delete the corresponding pseudo attribute.

Fix Description: Skip evaluating the aci of the pseudo attribute
in the deletion as being done in the replacement.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-10-10 02:36:41

Reviewed by Rich (Thank you!!)

Pushed to master.

$ git merge trac455
Updating 53e16ed..d6d9d07
Fast-forward
ldap/servers/plugins/acl/acl.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 920 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
53e16ed..d6d9d07 master -> master

[389-ds-bot]

Comment from nkinder (@nkinder) at 2013-03-07 00:14:53

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918701

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2017-02-11 22:51:56

Metadata Update from @nhosoi:

• Issue assigned to nhosoi
• Issue set to the milestone: 1.3.0.rc1