Direct links to fixes
Tivoli Directory Server, Version 18.104.22.168-ISS-ITDS-IF0026
Closed as program error.
Effective password policy calculated for multiple group entries gives a result of false for pwdMustChange even though the most restrictive value is true in this case. Steps for recreation: 1. Enable the password policy. dn: cn=pwdpolicy,cn=ibmPolicies ibm-pwdpolicy:true ibm-pwdGroupAndIndividualEnabled:true 2. Add a group password policy with pwdMustChange as false. Also add another group password policy with pwdMustChange as true. 3. Add a user and two groups. Make this added, a user member of both the groups: dn: cn=user1,o=sample dn:cn=grp_for_pwd_policy1,o=sample dn:cn=grp_for_pwd_policy2,o=sample 5. Modify the password for user "cn=user1". 6. Add "ibm-pwdgrouppolicydn" attribute to both the groups which contains different password policy: dn:cn=grp_for_pwd_policy2,o=sample ibm-pwdgrouppolicydn:cn=group_pwd_policy2,cn=ibmPolicies And dn:cn=grp_for_pwd_policy1,o=sample ibm-pwdgrouppolicydn:cn=group_pwd_policy1,cn=ibmPolicies 7. Check the effective password policy: # idsldapexop -D cn=root -w <pwd> -op effectpwdpolicy -d "cn= user1,o=sample" The effective password policy is calculated based on the following entries: cn=group_pwd_policy1,cn=ibmPolicies cn=group_pwd_policy2,cn=ibmPolicies cn=pwdpolicy,cn=ibmpolicies The effective password policy is: ibm-pwdPolicyStartTime=20121217111705Z ... pwdAllowUserChange=true pwdMustChange=false <== It should be true
No known work around.
The calculation of effective password policy was wrong by design time. There were wrong manipulation of boolean attributes values in code before building the composite group password policy and also before the calculation of the effective password policy considering all available policies. The code was working for the Boolean attribute whose default value is "false" and it was failing for those attribute whose default value is "true".
The fix for this APAR will be contained in the following maintenance packages: | interim fix | 22.214.171.124-ISS-ITDS-IF0025 |
Reported component name
IBM TIV DIR SER
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
IBM TIV DIR SER
Fixed component ID
Applicable component levels