|
|
6f51e1 |
From 578d207cd66e97e9ff8211559c62114a961e35a8 Mon Sep 17 00:00:00 2001
|
|
|
6f51e1 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
6f51e1 |
Date: Tue, 28 Mar 2017 14:21:47 -0400
|
|
|
6f51e1 |
Subject: [PATCH] Issue 49039 - password min age should be ignored if password
|
|
|
6f51e1 |
needs to be reset
|
|
|
6f51e1 |
|
|
|
6f51e1 |
Description: Do not check the password minimum age when changing a password
|
|
|
6f51e1 |
if the password "must" be reset.
|
|
|
6f51e1 |
|
|
|
6f51e1 |
https://pagure.io/389-ds-base/issue/49039
|
|
|
6f51e1 |
|
|
|
6f51e1 |
Reviewed by: firstyear(Thanks!)
|
|
|
6f51e1 |
---
|
|
|
6f51e1 |
dirsrvtests/tests/tickets/ticket49039_test.py | 79 +++++++++++++++++++++++++++
|
|
|
6f51e1 |
ldap/servers/slapd/modify.c | 4 +-
|
|
|
6f51e1 |
2 files changed, 81 insertions(+), 2 deletions(-)
|
|
|
6f51e1 |
create mode 100644 dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
6f51e1 |
|
|
|
6f51e1 |
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
6f51e1 |
new file mode 100644
|
|
|
6f51e1 |
index 0000000..e6d4c03
|
|
|
6f51e1 |
--- /dev/null
|
|
|
6f51e1 |
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
6f51e1 |
@@ -0,0 +1,79 @@
|
|
|
6f51e1 |
+import time
|
|
|
6f51e1 |
+import ldap
|
|
|
6f51e1 |
+import logging
|
|
|
6f51e1 |
+import pytest
|
|
|
6f51e1 |
+from lib389 import Entry
|
|
|
6f51e1 |
+from lib389._constants import *
|
|
|
6f51e1 |
+from lib389.properties import *
|
|
|
6f51e1 |
+from lib389.tasks import *
|
|
|
6f51e1 |
+from lib389.utils import *
|
|
|
6f51e1 |
+from lib389.topologies import topology_st as topo
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
6f51e1 |
+if DEBUGGING:
|
|
|
6f51e1 |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
6f51e1 |
+else:
|
|
|
6f51e1 |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
6f51e1 |
+log = logging.getLogger(__name__)
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+USER_DN = 'uid=user,dc=example,dc=com'
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+def test_ticket49039(topo):
|
|
|
6f51e1 |
+ """Test "password must change" verses "password min age". Min age should not
|
|
|
6f51e1 |
+ block password update if the password was reset.
|
|
|
6f51e1 |
+ """
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ # Configure password policy
|
|
|
6f51e1 |
+ try:
|
|
|
6f51e1 |
+ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
|
|
|
6f51e1 |
+ (ldap.MOD_REPLACE, 'passwordMustChange', 'on'),
|
|
|
6f51e1 |
+ (ldap.MOD_REPLACE, 'passwordExp', 'on'),
|
|
|
6f51e1 |
+ (ldap.MOD_REPLACE, 'passwordMaxAge', '86400000'),
|
|
|
6f51e1 |
+ (ldap.MOD_REPLACE, 'passwordMinAge', '8640000'),
|
|
|
6f51e1 |
+ (ldap.MOD_REPLACE, 'passwordChange', 'on')])
|
|
|
6f51e1 |
+ except ldap.LDAPError as e:
|
|
|
6f51e1 |
+ log.fatal('Failed to set password policy: ' + str(e))
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ # Add user, bind, and set password
|
|
|
6f51e1 |
+ try:
|
|
|
6f51e1 |
+ topo.standalone.add_s(Entry((USER_DN, {
|
|
|
6f51e1 |
+ 'objectclass': 'top extensibleObject'.split(),
|
|
|
6f51e1 |
+ 'uid': 'user1',
|
|
|
6f51e1 |
+ 'userpassword': PASSWORD
|
|
|
6f51e1 |
+ })))
|
|
|
6f51e1 |
+ except ldap.LDAPError as e:
|
|
|
6f51e1 |
+ log.fatal('Failed to add user: error ' + e.message['desc'])
|
|
|
6f51e1 |
+ assert False
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ # Reset password as RootDN
|
|
|
6f51e1 |
+ try:
|
|
|
6f51e1 |
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
|
|
|
6f51e1 |
+ except ldap.LDAPError as e:
|
|
|
6f51e1 |
+ log.fatal('Failed to bind: error ' + e.message['desc'])
|
|
|
6f51e1 |
+ assert False
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ time.sleep(1)
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ # Reset password as user
|
|
|
6f51e1 |
+ try:
|
|
|
6f51e1 |
+ topo.standalone.simple_bind_s(USER_DN, PASSWORD)
|
|
|
6f51e1 |
+ except ldap.LDAPError as e:
|
|
|
6f51e1 |
+ log.fatal('Failed to bind: error ' + e.message['desc'])
|
|
|
6f51e1 |
+ assert False
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ try:
|
|
|
6f51e1 |
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
|
|
|
6f51e1 |
+ except ldap.LDAPError as e:
|
|
|
6f51e1 |
+ log.fatal('Failed to change password: error ' + e.message['desc'])
|
|
|
6f51e1 |
+ assert False
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+ log.info('Test Passed')
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
+if __name__ == '__main__':
|
|
|
6f51e1 |
+ # Run isolated
|
|
|
6f51e1 |
+ # -s for DEBUG mode
|
|
|
6f51e1 |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
6f51e1 |
+ pytest.main("-s %s" % CURRENT_FILE)
|
|
|
6f51e1 |
+
|
|
|
6f51e1 |
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
|
|
6f51e1 |
index 4bef90a..32defae 100644
|
|
|
6f51e1 |
--- a/ldap/servers/slapd/modify.c
|
|
|
6f51e1 |
+++ b/ldap/servers/slapd/modify.c
|
|
|
6f51e1 |
@@ -1326,8 +1326,8 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
|
|
|
6f51e1 |
|
|
|
6f51e1 |
/* check if password is within password minimum age;
|
|
|
6f51e1 |
error result is sent directly from check_pw_minage */
|
|
|
6f51e1 |
- if ((internal_op || !pb->pb_conn->c_needpw) &&
|
|
|
6f51e1 |
- check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
|
|
|
6f51e1 |
+ if (!pb->pb_conn->c_needpw &&
|
|
|
6f51e1 |
+ check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
|
|
|
6f51e1 |
{
|
|
|
6f51e1 |
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
|
|
|
6f51e1 |
{
|
|
|
6f51e1 |
--
|
|
|
6f51e1 |
2.9.3
|
|
|
6f51e1 |
|