IO17305: Effective password policy shows incorrect pwdMaxAge attribute

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When multiple individual and group password policies are in
    effect, a composite EFFECTIVE policy is constructed by using the
    MOST RESTRICTIVE value for each attribute from among all the
    applicable policies.
    
    For example, if one policy requires that passwords expire after
    30 days, and another says 60 days, then the MOST RESTRICTIVE
    value is 30 days, and this is what will be used for the
    EFFECTIVE policy. For the password expiration attribute, smaller
    values are more restrictive. But 0 is a special case which means
    "never expires". Instead of being the most restrictive, it is
    actually the least. For comparison purposes, it should be
    considered infinitely large instead of zero.
    
    As a result, if multiple password policies are compared and
    one has pwdMaxAge = 0, then that will be the effective value,
    instead of the smallest non-zero value which should be used.
    
    There are 5 attributes where zero is considered infinite and
    require special consideration when constructing a composite
    policy:
                                              Most
      Attribute name                       Restrictive    Zero
      -----------------------------------  -----------  --------
      passwordMaxConsecutiveRepeatedChars    Lesser     Infinite *
      passwordMaxRepeatedChars               Lesser     Infinite *
      pwdLockoutDuration                     Greater    Infinite
      pwdMaxAge                              Lesser     Infinite
      pwdMaxFailure                          Lesser     Infinite
    
      * The infinite zero comparison error for the attributes
        passwordMaxRepeatedChars and passwordMaxConsecutive-
        RepeatedChars was discovered during 6.2 development
        testing and fixed by defect D100232 for 6.2 and later.
        But it was only fixed for the 2 attributes reported as
        failing, and the other 3 were left unchanged.
    

Local fix

  • If all the values being compared are either zero or non-zero
    there is no problem. It's only if some are zero and some are
    non-zero that the result will be incorrect. In this case, you
    could replace the zero values with a very large value which is
    effectively infinite, like 2,000,000,000.
    

Problem summary

  • When the feature to support multiple password policies was added
    in TDS 6.1, this "infinite zero" problem was not accounted for
    in the design.
    

Problem conclusion

  • The fix for this APAR will be contained in the following
    maintenance packages:
    | interim fix | 6.2.0.27-ISS-ITDS-IF0027 |
    

Temporary fix

Comments

APAR Information

  • APAR number

    IO17305

  • Reported component name

    IBM TIV DIR SER

  • Reported component ID

    5724J3960

  • Reported release

    620

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-10-10

  • Closed date

    2012-11-27

  • Last modified date

    2012-11-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IO17585 IO17589

Fix information

  • Fixed component name

    IBM TIV DIR SER

  • Fixed component ID

    5724J3960

Applicable component levels

  • R620 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Directory Server
General

Software version:

620

Reference #:

IO17305

Modified date:

2012-11-27

Translate my page

Machine Translation

Content navigation