Fixes are available
APAR status
Closed as program error.
Error description
When multiple individual and group password policies are in effect, a composite EFFECTIVE policy is constructed by using the MOST RESTRICTIVE value for each attribute from among all the applicable policies. For example, if one policy requires that passwords expire after 30 days, and another says 60 days, then the MOST RESTRICTIVE value is 30 days, and this is what will be used for the EFFECTIVE policy. For the password expiration attribute, smaller values are more restrictive. But 0 is a special case which means "never expires". Instead of being the most restrictive, it is actually the least. For comparison purposes, it should be considered infinitely large instead of zero. As a result, if multiple password policies are compared and one has pwdMaxAge = 0, then that will be the effective value, instead of the smallest non-zero value which should be used. There are 5 attributes where zero is considered infinite and require special consideration when constructing a composite policy: Most Attribute name Restrictive Zero ----------------------------------- ----------- -------- passwordMaxConsecutiveRepeatedChars Lesser Infinite * passwordMaxRepeatedChars Lesser Infinite * pwdLockoutDuration Greater Infinite pwdMaxAge Lesser Infinite pwdMaxFailure Lesser Infinite * The infinite zero comparison error for the attributes passwordMaxRepeatedChars and passwordMaxConsecutive- RepeatedChars was discovered during 6.2 development testing and fixed by defect D100232 for 6.2 and later. But it was only fixed for the 2 attributes reported as failing, and the other 3 were left unchanged.
Local fix
If all the values being compared are either zero or non-zero there is no problem. It's only if some are zero and some are non-zero that the result will be incorrect. In this case, you could replace the zero values with a very large value which is effectively infinite, like 2,000,000,000.
Problem summary
When the feature to support multiple password policies was added in TDS 6.1, this "infinite zero" problem was not accounted for in the design.
Problem conclusion
The fix for this APAR will be contained in the following maintenance packages: | interim fix | 6.2.0.27-ISS-ITDS-IF0027 |
Temporary fix
Comments
APAR Information
APAR number
IO17305
Reported component name
IBM TIV DIR SER
Reported component ID
5724J3960
Reported release
620
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-10-10
Closed date
2012-11-27
Last modified date
2012-11-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM TIV DIR SER
Fixed component ID
5724J3960
Applicable component levels
R620 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.