Bug ID 591732: Local password policy not enforced when auth source is set to a remote type.

Last Modified: Mar 01, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3

Fixed In:
15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.1

Opened: May 06, 2016

Severity: 3-Major

Symptoms

Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Impact

The system does not enforce any of the non-default local password policy options. For example: -- Even if the minimum-length is set to 15, a local user's password can be set to something less than 15. Another example: -- Even if max-duration is set to 90 days, the password does not expire for 99999 days (the default). Note: Impact may vary among versions: -- minimum-length policy works in v11.x and v12.x, but fails in v13.x later. -- max-duration policy fails in all affected versions.

Conditions

1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 15 where the default is 6. 2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Workaround

None

Fix Information

The BIG-IP system now honors the password policy settings for local accounts. However, this does not address complexity issues. That is tracked under ID 928161. For more information see https://cdn.f5.com/product/bugtracker/ID928161.html

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips