From 578d207cd66e97e9ff8211559c62114a961e35a8 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 28 Mar 2017 14:21:47 -0400 Subject: [PATCH] Issue 49039 - password min age should be ignored if password needs to be reset Description: Do not check the password minimum age when changing a password if the password "must" be reset. https://pagure.io/389-ds-base/issue/49039 Reviewed by: firstyear(Thanks!) --- dirsrvtests/tests/tickets/ticket49039_test.py | 79 +++++++++++++++++++++++++++ ldap/servers/slapd/modify.c | 4 +- 2 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 dirsrvtests/tests/tickets/ticket49039_test.py diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py new file mode 100644 index 0000000..e6d4c03 --- /dev/null +++ b/dirsrvtests/tests/tickets/ticket49039_test.py @@ -0,0 +1,79 @@ +import time +import ldap +import logging +import pytest +from lib389 import Entry +from lib389._constants import * +from lib389.properties import * +from lib389.tasks import * +from lib389.utils import * +from lib389.topologies import topology_st as topo + +DEBUGGING = os.getenv("DEBUGGING", default=False) +if DEBUGGING: + logging.getLogger(__name__).setLevel(logging.DEBUG) +else: + logging.getLogger(__name__).setLevel(logging.INFO) +log = logging.getLogger(__name__) + +USER_DN = 'uid=user,dc=example,dc=com' + + +def test_ticket49039(topo): + """Test "password must change" verses "password min age". Min age should not + block password update if the password was reset. + """ + + # Configure password policy + try: + topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'), + (ldap.MOD_REPLACE, 'passwordMustChange', 'on'), + (ldap.MOD_REPLACE, 'passwordExp', 'on'), + (ldap.MOD_REPLACE, 'passwordMaxAge', '86400000'), + (ldap.MOD_REPLACE, 'passwordMinAge', '8640000'), + (ldap.MOD_REPLACE, 'passwordChange', 'on')]) + except ldap.LDAPError as e: + log.fatal('Failed to set password policy: ' + str(e)) + + # Add user, bind, and set password + try: + topo.standalone.add_s(Entry((USER_DN, { + 'objectclass': 'top extensibleObject'.split(), + 'uid': 'user1', + 'userpassword': PASSWORD + }))) + except ldap.LDAPError as e: + log.fatal('Failed to add user: error ' + e.message['desc']) + assert False + + # Reset password as RootDN + try: + topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) + except ldap.LDAPError as e: + log.fatal('Failed to bind: error ' + e.message['desc']) + assert False + + time.sleep(1) + + # Reset password as user + try: + topo.standalone.simple_bind_s(USER_DN, PASSWORD) + except ldap.LDAPError as e: + log.fatal('Failed to bind: error ' + e.message['desc']) + assert False + + try: + topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) + except ldap.LDAPError as e: + log.fatal('Failed to change password: error ' + e.message['desc']) + assert False + + log.info('Test Passed') + + +if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s %s" % CURRENT_FILE) + diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 4bef90a..32defae 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -1326,8 +1326,8 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old /* check if password is within password minimum age; error result is sent directly from check_pw_minage */ - if ((internal_op || !pb->pb_conn->c_needpw) && - check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) + if (!pb->pb_conn->c_needpw && + check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) { if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { -- 2.9.3