IO17872: pwdMustChange does not report most restrictive when multiple group password policies are enabled.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Effective password policy calculated for multiple group entries
    gives a result of false for pwdMustChange even though the most
    restrictive value is true in this case.
    
    Steps for recreation:
    
    1. Enable the password policy.
    dn: cn=pwdpolicy,cn=ibmPolicies
    ibm-pwdpolicy:true
    ibm-pwdGroupAndIndividualEnabled:true
    
    2. Add a group password policy with pwdMustChange as false. Also
       add another group password policy with pwdMustChange as true.
    
    3. Add a user and two groups. Make this added, a user member of
       both the groups:
    dn: cn=user1,o=sample
    dn:cn=grp_for_pwd_policy1,o=sample
    dn:cn=grp_for_pwd_policy2,o=sample
    
    5. Modify the password for user "cn=user1".
    
    6. Add "ibm-pwdgrouppolicydn" attribute to both the groups
       which contains different password policy:
    dn:cn=grp_for_pwd_policy2,o=sample
    ibm-pwdgrouppolicydn:cn=group_pwd_policy2,cn=ibmPolicies
       And
    dn:cn=grp_for_pwd_policy1,o=sample
    ibm-pwdgrouppolicydn:cn=group_pwd_policy1,cn=ibmPolicies
    
    7. Check the effective password policy:
    # idsldapexop -D cn=root -w <pwd> -op effectpwdpolicy -d "cn=
    user1,o=sample"
    The effective password policy is calculated based on the
    following entries:
    cn=group_pwd_policy1,cn=ibmPolicies
    cn=group_pwd_policy2,cn=ibmPolicies
    cn=pwdpolicy,cn=ibmpolicies
    
    The effective password policy is:
    ibm-pwdPolicyStartTime=20121217111705Z
    ...
    pwdAllowUserChange=true
    pwdMustChange=false     <== It should be true
    

Local fix

  • No known work around.
    

Problem summary

  • The calculation of effective password policy was wrong by design
    time. There were wrong manipulation of boolean attributes values
    in code before building the composite group password policy and
    also before the calculation of the effective password policy
    considering all available policies. The code was working for the
    Boolean attribute whose default value is "false" and it was
    failing for those attribute whose default value is "true".
    

Problem conclusion

  • The fix for this APAR will be contained in the following
    maintenance packages:
    | interim fix | 6.3.0.25-ISS-ITDS-IF0025 |
    

Temporary fix

Comments

APAR Information

  • APAR number

    IO17872

  • Reported component name

    IBM TIV DIR SER

  • Reported component ID

    5724J3960

  • Reported release

    630

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-08

  • Closed date

    2013-09-27

  • Last modified date

    2013-09-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IO19735 IO19737

Fix information

  • Fixed component name

    IBM TIV DIR SER

  • Fixed component ID

    5724J3960

Applicable component levels

  • R630 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Directory Server
General

Software version:

630

Reference #:

IO17872

Modified date:

2013-09-27

Translate my page

Machine Translation

Content navigation