Re: (ITS#8349) fix ppolicy issue

[hamano@osstech.co.jp]

Hi,

On Tue, 12 Jan 2016 17:46:23 +0900,
Michael Ströder wrote:
> 
> > 1) reduce pwdInHistory
> > If set pwdInHistory to 5 then reduce pwdInHistory to 3,
> 
> I try to rephrase:
> If attribute 'pwdHistory' in the user entry has 5 values and attribute
> 'pwdInHistory' in the policy entry is 3 then ignore (and remove?) the 2 oldest
> 'pwdHistory' values.
> 
Exactly! Thanks for your rephrase.

> Are values in 'pwdInHistory' sorted by timestamp in this part of the code?
> 
Ya, parsed pwdInHistory(pw_hist *tl) are sorted by ascending time order.
So, In this case, we need ignore first 2 attributes then check 3 attributes.

> > We expect to check password with three history, but ppolicy check
> > password with all pwdHistory attribute.
> > 
> > 2) reduce pwdInHistory to zero
> > If set pwdInHistory to 5 then reduce pwdInHistory to 0,
> 
> I try to rephrase:
> If attribute 'pwdHistory' in the user entry is set and attribute 'pwdInHistory'
> in the policy entry is 0 then ignore (and remove?) 'pwdHistory' completely.
> 
> > We expect that ppolicy password checking will be disbale. but the
> > pwdHistory attribute are remains, so password checking is still
> > enabled.
> > We need to remove pwdHistory attribute.
> 
> I'm not sure whether removing 'pwdHistory' attribute (values) is the right thing
> to do. If you want to increase 'pwdInHistory' later then the old values are lost.
> 

Currently, pwdHistory attributes will truncate when to reduce
'pwdInHistory'.
But this process is simply skipping when pwdInHistory: 0. this
behavior is unnatural.
I know how you feel.
I'm sure root of issue is that 'pwdInHistory' attribute have both role
"number of record pwdHistory" and "number of check pwdHistory".
Thay are desirable to split same as 'pwdMaxFailure' and
'pwdMaxRecordedFailure'.

Thank you.

> Ciao, Michael.
> 

-- 
Open Source Solution Technology Corporation
HAMANO Tsukasa <hamano@osstech.co.jp>
fingerprint = 3747 AB70 7B98 7882 46F5  87E1 BF91 A2C1 7DC1 5E3D