Full_Name: HAMANO Tsukasa Version: 2.4.43 OS: Linux URL: https://www.osstech.co.jp/download/hamano/openldap/ppolicy_fix_pwdInHistory.patch Submission from: (NULL) (240b:10:2640:bf0:290:4cff:fe0d:f43e) We fixed several issue around ppolicy. 1) reduce pwdInHistory If set pwdInHistory to 5 then reduce pwdInHistory to 3, We expect to check password with three history, but ppolicy check password with all pwdHistory attribute. 2) reduce pwdInHistory to zero If set pwdInHistory to 5 then reduce pwdInHistory to 0, We expect that ppolicy password checking will be disbale. but the pwdHistory attribute are remains, so password checking is still enabled. We need to remove pwdHistory attribute. Please apply the patch. Thank you.
Frankly I don't understand your text. hamano@osstech.co.jp wrote: > We fixed several issue around ppolicy. > > 1) reduce pwdInHistory > If set pwdInHistory to 5 then reduce pwdInHistory to 3, I try to rephrase: If attribute 'pwdHistory' in the user entry has 5 values and attribute 'pwdInHistory' in the policy entry is 3 then ignore (and remove?) the 2 oldest 'pwdHistory' values. Are values in 'pwdInHistory' sorted by timestamp in this part of the code? > We expect to check password with three history, but ppolicy check > password with all pwdHistory attribute. > > 2) reduce pwdInHistory to zero > If set pwdInHistory to 5 then reduce pwdInHistory to 0, I try to rephrase: If attribute 'pwdHistory' in the user entry is set and attribute 'pwdInHistory' in the policy entry is 0 then ignore (and remove?) 'pwdHistory' completely. > We expect that ppolicy password checking will be disbale. but the > pwdHistory attribute are remains, so password checking is still > enabled. > We need to remove pwdHistory attribute. I'm not sure whether removing 'pwdHistory' attribute (values) is the right thing to do. If you want to increase 'pwdInHistory' later then the old values are lost. Ciao, Michael.
Hi, On Tue, 12 Jan 2016 17:46:23 +0900, Michael Ströder wrote: > > > 1) reduce pwdInHistory > > If set pwdInHistory to 5 then reduce pwdInHistory to 3, > > I try to rephrase: > If attribute 'pwdHistory' in the user entry has 5 values and attribute > 'pwdInHistory' in the policy entry is 3 then ignore (and remove?) the 2 oldest > 'pwdHistory' values. > Exactly! Thanks for your rephrase. > Are values in 'pwdInHistory' sorted by timestamp in this part of the code? > Ya, parsed pwdInHistory(pw_hist *tl) are sorted by ascending time order. So, In this case, we need ignore first 2 attributes then check 3 attributes. > > We expect to check password with three history, but ppolicy check > > password with all pwdHistory attribute. > > > > 2) reduce pwdInHistory to zero > > If set pwdInHistory to 5 then reduce pwdInHistory to 0, > > I try to rephrase: > If attribute 'pwdHistory' in the user entry is set and attribute 'pwdInHistory' > in the policy entry is 0 then ignore (and remove?) 'pwdHistory' completely. > > > We expect that ppolicy password checking will be disbale. but the > > pwdHistory attribute are remains, so password checking is still > > enabled. > > We need to remove pwdHistory attribute. > > I'm not sure whether removing 'pwdHistory' attribute (values) is the right thing > to do. If you want to increase 'pwdInHistory' later then the old values are lost. > Currently, pwdHistory attributes will truncate when to reduce 'pwdInHistory'. But this process is simply skipping when pwdInHistory: 0. this behavior is unnatural. I know how you feel. I'm sure root of issue is that 'pwdInHistory' attribute have both role "number of record pwdHistory" and "number of check pwdHistory". Thay are desirable to split same as 'pwdMaxFailure' and 'pwdMaxRecordedFailure'. Thank you. > Ciao, Michael. > -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano@osstech.co.jp> fingerprint = 3747 AB70 7B98 7882 46F5 87E1 BF91 A2C1 7DC1 5E3D
changed notes moved from Incoming to Software Bugs
changed notes
--On Tuesday, January 12, 2016 7:28 AM +0000 hamano@osstech.co.jp wrote: > Full_Name: HAMANO Tsukasa > Version: 2.4.43 > OS: Linux > URL: > https://www.osstech.co.jp/download/hamano/openldap/ppolicy_fix_pwdInHisto > ry.patch Submission from: (NULL) (240b:10:2640:bf0:290:4cff:fe0d:f43e) > > > We fixed several issue around ppolicy. > > 1) reduce pwdInHistory > If set pwdInHistory to 5 then reduce pwdInHistory to 3, > We expect to check password with three history, but ppolicy check > password with all pwdHistory attribute. > > 2) reduce pwdInHistory to zero > If set pwdInHistory to 5 then reduce pwdInHistory to 0, > We expect that ppolicy password checking will be disbale. but the > pwdHistory attribute are remains, so password checking is still > enabled. > We need to remove pwdHistory attribute. Hi, I'm working on catching up on old ITS submissions. This submission is missing an IPR and cannot be included until it is provided. Please see <http://www.openldap.org/devel/contributing.html> for information on the IPR requirements. Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
Sorry for my late reply. https://www.osstech.co.jp/download/hamano/openldap/ppolicy_fix_pwdInHistory.patch The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Open Source Solution Technology Corporation. Open Source Solution Technology Corporation has not assigned rights and/or interest in this work to any party. I, HAMANO Tsukasa am authorized by Open Source Solution Technology Corporation, my employer, to release this work under the following terms. Open Source Solution Technology Corporation hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice. On Fri, 08 Sep 2017 01:21:42 +0900, Quanah Gibson-Mount wrote: > > --On Tuesday, January 12, 2016 7:28 AM +0000 hamano@osstech.co.jp wrote: > > > Full_Name: HAMANO Tsukasa > > Version: 2.4.43 > > OS: Linux > > URL: > > https://www.osstech.co.jp/download/hamano/openldap/ppolicy_fix_pwdInHisto > > ry.patch Submission from: (NULL) (240b:10:2640:bf0:290:4cff:fe0d:f43e) > > > > > > We fixed several issue around ppolicy. > > > > 1) reduce pwdInHistory > > If set pwdInHistory to 5 then reduce pwdInHistory to 3, > > We expect to check password with three history, but ppolicy check > > password with all pwdHistory attribute. > > > > 2) reduce pwdInHistory to zero > > If set pwdInHistory to 5 then reduce pwdInHistory to 0, > > We expect that ppolicy password checking will be disbale. but the > > pwdHistory attribute are remains, so password checking is still > > enabled. > > We need to remove pwdHistory attribute. > > Hi, > > I'm working on catching up on old ITS submissions. This submission is > missing an IPR and cannot be included until it is provided. Please > see <http://www.openldap.org/devel/contributing.html> for information > on the IPR requirements. > > Thanks, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano@osstech.co.jp>
changed notes changed state Open to Test
changed notes changed state Test to Release
Fixed in master Fixed in RE24 (2.4.48)
changed notes changed state Release to Closed