|
|
96373c |
From 86efa0314c59550f0660c8d143a52a57b1dffb96 Mon Sep 17 00:00:00 2001
|
|
|
96373c |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
96373c |
Date: Thu, 18 Jan 2018 09:56:17 -0500
|
|
|
96373c |
Subject: [PATCH] Ticket 49370 - Add all the password policy defaults to a new
|
|
|
96373c |
local policy
|
|
|
96373c |
|
|
|
96373c |
Bug Description: When processing a local password policy we were not pulling
|
|
|
96373c |
in the defaults for the "on/off" settings. This patch
|
|
|
96373c |
addresses that.
|
|
|
96373c |
|
|
|
96373c |
Fix Description: Create common default init functions for all password policies
|
|
|
96373c |
|
|
|
96373c |
https://pagure.io/389-ds-base/issue/49370
|
|
|
96373c |
|
|
|
96373c |
Reviewed by: tbordaz, wibrown, and spichugi (Thanks!!!)
|
|
|
96373c |
|
|
|
96373c |
(cherry picked from commit c8b388bf9f5269e1e1dc8c7c70ec8e58e825204a)
|
|
|
96373c |
---
|
|
|
96373c |
.../tests/suites/password/regression_test.py | 58 +++++++++++++--
|
|
|
96373c |
ldap/servers/slapd/libglobs.c | 84 ++++++++++++++--------
|
|
|
96373c |
ldap/servers/slapd/pw.c | 29 ++------
|
|
|
96373c |
ldap/servers/slapd/slap.h | 2 +
|
|
|
96373c |
4 files changed, 113 insertions(+), 60 deletions(-)
|
|
|
96373c |
|
|
|
96373c |
diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
|
|
|
96373c |
index f6ee16773..800294057 100644
|
|
|
96373c |
--- a/dirsrvtests/tests/suites/password/regression_test.py
|
|
|
96373c |
+++ b/dirsrvtests/tests/suites/password/regression_test.py
|
|
|
96373c |
@@ -6,9 +6,10 @@
|
|
|
96373c |
# --- END COPYRIGHT BLOCK ---
|
|
|
96373c |
#
|
|
|
96373c |
import pytest
|
|
|
96373c |
-from lib389._constants import SUFFIX, PASSWORD
|
|
|
96373c |
+import time
|
|
|
96373c |
+from lib389._constants import SUFFIX, PASSWORD, DN_DM
|
|
|
96373c |
from lib389.idm.user import UserAccounts
|
|
|
96373c |
-from lib389.utils import ldap, os, logging
|
|
|
96373c |
+from lib389.utils import ldap, os, logging, ensure_bytes
|
|
|
96373c |
from lib389.topologies import topology_st as topo
|
|
|
96373c |
|
|
|
96373c |
DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
96373c |
@@ -20,6 +21,7 @@ log = logging.getLogger(__name__)
|
|
|
96373c |
|
|
|
96373c |
user_data = {'cn': 'CNpwtest1', 'sn': 'SNpwtest1', 'uid': 'UIDpwtest1', 'mail': 'MAILpwtest1@redhat.com',
|
|
|
96373c |
'givenname': 'GNpwtest1'}
|
|
|
96373c |
+
|
|
|
96373c |
TEST_PASSWORDS = list(user_data.values())
|
|
|
96373c |
# Add substring/token values of "CNpwtest1"
|
|
|
96373c |
TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
|
|
|
96373c |
@@ -37,13 +39,20 @@ def passw_policy(topo, request):
|
|
|
96373c |
"""Configure password policy with PasswordCheckSyntax attribute set to on"""
|
|
|
96373c |
|
|
|
96373c |
log.info('Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on')
|
|
|
96373c |
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
96373c |
topo.standalone.config.set('PasswordExp', 'on')
|
|
|
96373c |
topo.standalone.config.set('PasswordCheckSyntax', 'off')
|
|
|
96373c |
topo.standalone.config.set('nsslapd-pwpolicy-local', 'on')
|
|
|
96373c |
|
|
|
96373c |
subtree = 'ou=people,{}'.format(SUFFIX)
|
|
|
96373c |
log.info('Configure subtree password policy for {}'.format(subtree))
|
|
|
96373c |
- topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': 'on', 'passwordCheckSyntax': 'on'})
|
|
|
96373c |
+ topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': ensure_bytes('on'),
|
|
|
96373c |
+ 'passwordCheckSyntax': ensure_bytes('on'),
|
|
|
96373c |
+ 'passwordLockout': ensure_bytes('on'),
|
|
|
96373c |
+ 'passwordResetFailureCount': ensure_bytes('3'),
|
|
|
96373c |
+ 'passwordLockoutDuration': ensure_bytes('3'),
|
|
|
96373c |
+ 'passwordMaxFailure': ensure_bytes('2')})
|
|
|
96373c |
+ time.sleep(1)
|
|
|
96373c |
|
|
|
96373c |
def fin():
|
|
|
96373c |
log.info('Reset pwpolicy configuration settings')
|
|
|
96373c |
@@ -76,6 +85,47 @@ def test_user(topo, request):
|
|
|
96373c |
return tuser
|
|
|
96373c |
|
|
|
96373c |
|
|
|
96373c |
+def test_pwp_local_unlock(topo, passw_policy, test_user):
|
|
|
96373c |
+ """Test subtree policies use the same global default for passwordUnlock
|
|
|
96373c |
+
|
|
|
96373c |
+ :id: 741a8417-5f65-4012-b9ed-87987ce3ca1b
|
|
|
96373c |
+ :setup: Standalone instance
|
|
|
96373c |
+ :steps:
|
|
|
96373c |
+ 1. Test user can bind
|
|
|
96373c |
+ 2. Bind with bad passwords to lockout account, and verify account is locked
|
|
|
96373c |
+ 3. Wait for lockout interval, and bind with valid password
|
|
|
96373c |
+ :expectedresults:
|
|
|
96373c |
+ 1. Bind successful
|
|
|
96373c |
+ 2. Entry is locked
|
|
|
96373c |
+ 3. Entry can bind with correct password
|
|
|
96373c |
+ """
|
|
|
96373c |
+
|
|
|
96373c |
+ log.info("Verify user can bind...")
|
|
|
96373c |
+ test_user.bind(PASSWORD)
|
|
|
96373c |
+
|
|
|
96373c |
+ log.info('Test passwordUnlock default - user should be able to reset password after lockout')
|
|
|
96373c |
+ for i in range(0,2):
|
|
|
96373c |
+ try:
|
|
|
96373c |
+ test_user.bind("bad-password")
|
|
|
96373c |
+ except ldap.INVALID_CREDENTIALS:
|
|
|
96373c |
+ # expected
|
|
|
96373c |
+ pass
|
|
|
96373c |
+ except ldap.LDAPError as e:
|
|
|
96373c |
+ log.fatal("Got unexpected failure: " + atr(e))
|
|
|
96373c |
+ raise e
|
|
|
96373c |
+
|
|
|
96373c |
+
|
|
|
96373c |
+ log.info('Verify account is locked')
|
|
|
96373c |
+ with pytest.raises(ldap.CONSTRAINT_VIOLATION):
|
|
|
96373c |
+ test_user.bind(PASSWORD)
|
|
|
96373c |
+
|
|
|
96373c |
+ log.info('Wait for lockout duration...')
|
|
|
96373c |
+ time.sleep(4)
|
|
|
96373c |
+
|
|
|
96373c |
+ log.info('Check if user can now bind with correct password')
|
|
|
96373c |
+ test_user.bind(PASSWORD)
|
|
|
96373c |
+
|
|
|
96373c |
+
|
|
|
96373c |
@pytest.mark.bz1465600
|
|
|
96373c |
@pytest.mark.parametrize("user_pasw", TEST_PASSWORDS)
|
|
|
96373c |
def test_trivial_passw_check(topo, passw_policy, test_user, user_pasw):
|
|
|
96373c |
@@ -143,4 +193,4 @@ if __name__ == '__main__':
|
|
|
96373c |
# Run isolated
|
|
|
96373c |
# -s for DEBUG mode
|
|
|
96373c |
CURRENT_FILE = os.path.realpath(__file__)
|
|
|
96373c |
- pytest.main("-s {}".format(CURRENT_FILE))
|
|
|
96373c |
+ pytest.main(["-s", CURRENT_FILE])
|
|
|
96373c |
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
|
|
|
96373c |
index 1ba30002f..c1a765aca 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/libglobs.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/libglobs.c
|
|
|
96373c |
@@ -1401,6 +1401,56 @@ getFrontendConfig(void)
|
|
|
96373c |
*/
|
|
|
96373c |
|
|
|
96373c |
void
|
|
|
96373c |
+pwpolicy_init_defaults (passwdPolicy *pw_policy)
|
|
|
96373c |
+{
|
|
|
96373c |
+ pw_policy->pw_change = LDAP_ON;
|
|
|
96373c |
+ pw_policy->pw_must_change = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_syntax = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_exp = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_send_expiring = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
|
|
|
96373c |
+ pw_policy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
|
|
|
96373c |
+ pw_policy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
|
|
|
96373c |
+ pw_policy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
|
|
|
96373c |
+ pw_policy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
|
|
|
96373c |
+ pw_policy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
|
|
|
96373c |
+ pw_policy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
|
|
|
96373c |
+ pw_policy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
|
|
|
96373c |
+ pw_policy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
|
|
|
96373c |
+ pw_policy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
|
|
|
96373c |
+ pw_policy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
|
|
|
96373c |
+ pw_policy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
|
|
|
96373c |
+ pw_policy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
|
|
|
96373c |
+ pw_policy->pw_history = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
|
|
|
96373c |
+ pw_policy->pw_lockout = LDAP_OFF;
|
|
|
96373c |
+ pw_policy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
|
|
|
96373c |
+ pw_policy->pw_unlock = LDAP_ON;
|
|
|
96373c |
+ pw_policy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
|
|
|
96373c |
+ pw_policy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
|
|
|
96373c |
+ pw_policy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
|
|
|
96373c |
+ pw_policy->pw_admin = NULL;
|
|
|
96373c |
+ pw_policy->pw_admin_user = NULL;
|
|
|
96373c |
+ pw_policy->pw_is_legacy = LDAP_ON;
|
|
|
96373c |
+ pw_policy->pw_track_update_time = LDAP_OFF;
|
|
|
96373c |
+}
|
|
|
96373c |
+
|
|
|
96373c |
+static void
|
|
|
96373c |
+pwpolicy_fe_init_onoff(passwdPolicy *pw_policy)
|
|
|
96373c |
+{
|
|
|
96373c |
+ init_pw_change = pw_policy->pw_change;
|
|
|
96373c |
+ init_pw_must_change = pw_policy->pw_must_change;
|
|
|
96373c |
+ init_pw_syntax = pw_policy->pw_syntax;
|
|
|
96373c |
+ init_pw_exp = pw_policy->pw_exp;
|
|
|
96373c |
+ init_pw_send_expiring = pw_policy->pw_send_expiring;
|
|
|
96373c |
+ init_pw_history = pw_policy->pw_history;
|
|
|
96373c |
+ init_pw_lockout = pw_policy->pw_lockout;
|
|
|
96373c |
+ init_pw_unlock = pw_policy->pw_unlock;
|
|
|
96373c |
+ init_pw_is_legacy = pw_policy->pw_is_legacy;
|
|
|
96373c |
+ init_pw_track_update_time = pw_policy->pw_track_update_time;
|
|
|
96373c |
+}
|
|
|
96373c |
+
|
|
|
96373c |
+void
|
|
|
96373c |
FrontendConfig_init(void)
|
|
|
96373c |
{
|
|
|
96373c |
slapdFrontendConfig_t *cfg = getFrontendConfig();
|
|
|
96373c |
@@ -1511,41 +1561,13 @@ FrontendConfig_init(void)
|
|
|
96373c |
* let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind
|
|
|
96373c |
* if that's what they want to do */
|
|
|
96373c |
init_force_sasl_external = cfg->force_sasl_external = LDAP_OFF;
|
|
|
96373c |
-
|
|
|
96373c |
init_readonly = cfg->readonly = LDAP_OFF;
|
|
|
96373c |
+
|
|
|
96373c |
+ pwpolicy_init_defaults(&cfg->pw_policy);
|
|
|
96373c |
+ pwpolicy_fe_init_onoff(&cfg->pw_policy);
|
|
|
96373c |
init_pwpolicy_local = cfg->pwpolicy_local = LDAP_OFF;
|
|
|
96373c |
init_pwpolicy_inherit_global = cfg->pwpolicy_inherit_global = LDAP_OFF;
|
|
|
96373c |
- init_pw_change = cfg->pw_policy.pw_change = LDAP_ON;
|
|
|
96373c |
- init_pw_must_change = cfg->pw_policy.pw_must_change = LDAP_OFF;
|
|
|
96373c |
init_allow_hashed_pw = cfg->allow_hashed_pw = LDAP_OFF;
|
|
|
96373c |
- init_pw_syntax = cfg->pw_policy.pw_syntax = LDAP_OFF;
|
|
|
96373c |
- init_pw_exp = cfg->pw_policy.pw_exp = LDAP_OFF;
|
|
|
96373c |
- init_pw_send_expiring = cfg->pw_policy.pw_send_expiring = LDAP_OFF;
|
|
|
96373c |
- cfg->pw_policy.pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
|
|
|
96373c |
- cfg->pw_policy.pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
|
|
|
96373c |
- cfg->pw_policy.pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
|
|
|
96373c |
- cfg->pw_policy.pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
|
|
|
96373c |
- cfg->pw_policy.pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
|
|
|
96373c |
- cfg->pw_policy.pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
|
|
|
96373c |
- cfg->pw_policy.pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
|
|
|
96373c |
- cfg->pw_policy.pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
|
|
|
96373c |
- cfg->pw_policy.pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
|
|
|
96373c |
- cfg->pw_policy.pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
|
|
|
96373c |
- cfg->pw_policy.pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
|
|
|
96373c |
- cfg->pw_policy.pw_minage = SLAPD_DEFAULT_PW_MINAGE;
|
|
|
96373c |
- cfg->pw_policy.pw_warning = SLAPD_DEFAULT_PW_WARNING;
|
|
|
96373c |
- init_pw_history = cfg->pw_policy.pw_history = LDAP_OFF;
|
|
|
96373c |
- cfg->pw_policy.pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
|
|
|
96373c |
- init_pw_lockout = cfg->pw_policy.pw_lockout = LDAP_OFF;
|
|
|
96373c |
- cfg->pw_policy.pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
|
|
|
96373c |
- init_pw_unlock = cfg->pw_policy.pw_unlock = LDAP_ON;
|
|
|
96373c |
- cfg->pw_policy.pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
|
|
|
96373c |
- cfg->pw_policy.pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
|
|
|
96373c |
- cfg->pw_policy.pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
|
|
|
96373c |
- cfg->pw_policy.pw_admin = NULL;
|
|
|
96373c |
- cfg->pw_policy.pw_admin_user = NULL;
|
|
|
96373c |
- init_pw_is_legacy = cfg->pw_policy.pw_is_legacy = LDAP_ON;
|
|
|
96373c |
- init_pw_track_update_time = cfg->pw_policy.pw_track_update_time = LDAP_OFF;
|
|
|
96373c |
init_pw_is_global_policy = cfg->pw_is_global_policy = LDAP_OFF;
|
|
|
96373c |
|
|
|
96373c |
init_accesslog_logging_enabled = cfg->accesslog_logging_enabled = LDAP_ON;
|
|
|
96373c |
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
|
|
|
96373c |
index 53464c64a..3a545e12e 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/pw.c
|
|
|
96373c |
+++ b/ldap/servers/slapd/pw.c
|
|
|
96373c |
@@ -1730,32 +1730,11 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
|
|
|
96373c |
goto done;
|
|
|
96373c |
}
|
|
|
96373c |
|
|
|
96373c |
- /* Set the default values */
|
|
|
96373c |
- pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
|
|
|
96373c |
- pwdpolicy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
|
|
|
96373c |
- pwdpolicy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
|
|
|
96373c |
- pwdpolicy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
|
|
|
96373c |
- pwdpolicy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
|
|
|
96373c |
- pwdpolicy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
|
|
|
96373c |
- pwdpolicy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
|
|
|
96373c |
- pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
|
|
|
96373c |
- pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
|
|
|
96373c |
- pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
|
|
|
96373c |
- pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
|
|
|
96373c |
- pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
|
|
|
96373c |
- pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
|
|
|
96373c |
- pwdpolicy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
|
|
|
96373c |
- pwdpolicy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
|
|
|
96373c |
- pwdpolicy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
|
|
|
96373c |
- pwdpolicy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
|
|
|
96373c |
- pwdpolicy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
|
|
|
96373c |
-
|
|
|
96373c |
- /* set the default passwordLegacyPolicy setting */
|
|
|
96373c |
- pwdpolicy->pw_is_legacy = 1;
|
|
|
96373c |
-
|
|
|
96373c |
- /* set passwordTrackUpdateTime */
|
|
|
96373c |
- pwdpolicy->pw_track_update_time = slapdFrontendConfig->pw_policy.pw_track_update_time;
|
|
|
96373c |
+ /* Set the default values (from libglobs.c) */
|
|
|
96373c |
+ pwpolicy_init_defaults(pwdpolicy);
|
|
|
96373c |
+ pwdpolicy->pw_storagescheme = slapdFrontendConfig->pw_storagescheme;
|
|
|
96373c |
|
|
|
96373c |
+ /* Set the defined values now */
|
|
|
96373c |
for (slapi_entry_first_attr(pw_entry, &attr); attr;
|
|
|
96373c |
slapi_entry_next_attr(pw_entry, attr, &attr)) {
|
|
|
96373c |
slapi_attr_get_type(attr, &attr_name);
|
|
|
96373c |
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
|
|
|
96373c |
index 08754d8fb..f6fc374a4 100644
|
|
|
96373c |
--- a/ldap/servers/slapd/slap.h
|
|
|
96373c |
+++ b/ldap/servers/slapd/slap.h
|
|
|
96373c |
@@ -1773,6 +1773,8 @@ typedef struct passwordpolicyarray
|
|
|
96373c |
Slapi_DN **pw_admin_user;
|
|
|
96373c |
} passwdPolicy;
|
|
|
96373c |
|
|
|
96373c |
+void pwpolicy_init_defaults (passwdPolicy *pw_policy);
|
|
|
96373c |
+
|
|
|
96373c |
Slapi_PBlock *slapi_pblock_clone(Slapi_PBlock *pb); /* deprecated */
|
|
|
96373c |
|
|
|
96373c |
passwdPolicy *slapi_pblock_get_pwdpolicy(Slapi_PBlock *pb);
|
|
|
96373c |
--
|
|
|
96373c |
2.13.6
|
|
|
96373c |
|