Bug 1024744

Summary: Improve grace login warning against OpenLDAP server
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DEFERRED QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: apetrova, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, pbrezina
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
The OpenLDAP server and the 389 Directory Server (389 DS) treat grace logins differently. 389 DS treats them as the number of grace logins left, while OpenLDAP treats them as the number of grace logins used. Currently, SSSD only handles the semantics used by 389 DS. As a result, when using OpenLDAP, the grace password warning can be incorrect.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-24 11:24:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2013-10-30 10:55:32 UTC 
Description of problem:
Improve grace login warning against OpenLDAP server

Version-Release number of selected component (if applicable):
1.9.2-129

How reproducible:
Always

Steps to Reproduce:
1. On openldap server, set pwdGraceAuthNLimit to 2

2. Try to auth from another sssd client

1st Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Thu Oct 10 14:53:33 2013 from localhost
-bash-4.1$ logout

2nd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
Last login: Thu Oct 10 15:01:01 2013 from localhost
-bash-4.1$ logout

3rd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Password expired. Change your password now. <== Should have shown 0 grace login 
Last login: Thu Oct 10 15:01:16 2013 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuuser.
Current Password:


Actual results:
3rd attempt shows password expired.

Expected results:
3rd attempt against 389-ds server shows 0 grace login remains. There should be consistency against openldap server too.

Additional info:
Comment 2 Jakub Hrozek 2013-10-31 11:37:25 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2136
Comment 3 Jakub Hrozek 2013-11-06 16:39:29 UTC 
Reproposing to 7.1 as agreed on last Thursday's meeting.
Comment 6 Martin Kosek 2015-04-24 11:24:30 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.