Fixes are available
Tivoli Directory Server, Version 18.104.22.168-ISS-ITDS-IF0027
Tivoli Directory Server, Version 22.214.171.124-ISS-ITDS-IF0029
Tivoli Directory Server, Version 126.96.36.199-ISS-ITDS-IF0030
Tivoli Directory Server, Version 188.8.131.52-ISS-ITDS-IF0031
Tivoli Directory Server, Version 184.108.40.206-ISS-ITDS-IF0032
Tivoli Directory Server, Version 220.127.116.11-ISS-ITDS-IF0033
Closed as program error.
When multiple individual and group password policies are in effect, a composite EFFECTIVE policy is constructed by using the MOST RESTRICTIVE value for each attribute from among all the applicable policies. For example, if one policy requires that passwords expire after 30 days, and another says 60 days, then the MOST RESTRICTIVE value is 30 days, and this is what will be used for the EFFECTIVE policy. For the password expiration attribute, smaller values are more restrictive. But 0 is a special case which means "never expires". Instead of being the most restrictive, it is actually the least. For comparison purposes, it should be considered infinitely large instead of zero. As a result, if multiple password policies are compared and one has pwdMaxAge = 0, then that will be the effective value, instead of the smallest non-zero value which should be used. There are 5 attributes where zero is considered infinite and require special consideration when constructing a composite policy: Most Attribute name Restrictive Zero ----------------------------------- ----------- -------- passwordMaxConsecutiveRepeatedChars Lesser Infinite * passwordMaxRepeatedChars Lesser Infinite * pwdLockoutDuration Greater Infinite pwdMaxAge Lesser Infinite pwdMaxFailure Lesser Infinite * The infinite zero comparison error for the attributes passwordMaxRepeatedChars and passwordMaxConsecutive- RepeatedChars was discovered during 6.2 development testing and fixed by defect D100232 for 6.2 and later. But it was only fixed for the 2 attributes reported as failing, and the other 3 were left unchanged.
If all the values being compared are either zero or non-zero there is no problem. It's only if some are zero and some are non-zero that the result will be incorrect. In this case, you could replace the zero values with a very large value which is effectively infinite, like 2,000,000,000.
When the feature to support multiple password policies was added in TDS 6.1, this "infinite zero" problem was not accounted for in the design.
The fix for this APAR will be contained in the following maintenance packages: | interim fix | 18.104.22.168-ISS-ITDS-IF0027 |
Reported component name
IBM TIV DIR SER
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
IBM TIV DIR SER
Fixed component ID
Applicable component levels