Bug 1492830

Summary: password expired control not sent during grace logins. [rhel-7.4.z]
Product: Red Hat Enterprise Linux 7 Reporter: Tom Lavigne <tlavigne>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.4CC: amsharma, brubisch, gparente, mreynolds, msauton, nkinder, rmeggins, tbordaz, tlavigne
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-20.el7_4 Doc Type: Bug Fix
Doc Text:
Previously, Directory Server did not send the expired password control when an expired password had grace logins left. Consequently, clients could not tell the user that the password was expired or how many grace logins were left. The problem has been fixed. As a result, clients can now tell the user if a password is expired and how many grace logins remain.
 Story Points: ---
Clone Of: 1464505 Environment:
Last Closed: 2017-10-19 15:11:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1464505    
Bug Blocks:    

Description Tom Lavigne 2017-09-18 17:18:59 UTC 
This bug has been copied from bug #1464505 and has been proposed
to be backported to 7.4 z-stream (EUS).
Comment 5 Amita Sharma 2017-09-25 08:45:12 UTC 
================================================================ test session starts =================================================================
platform linux2 -- Python 2.7.5, pytest-3.2.2, py-1.4.34, pluggy-0.4.0
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-693.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.34', 'pytest': '3.2.2', 'pluggy': '0.4.0'}, 'Plugins': {'html': '1.16.0', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-20.el7_4
nss: 3.28.4-14.el7_4
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 4 items                                                                                                                                     

pwdPolicy_controls_test.py OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with paswordMustChange set to "on"
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Reset userpassword as Directory Manager
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind should return ctrl with error code 2 (changeAfterReset)
.INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with grace limit set tot 2
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and wait for it to expire
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind and use up one grace login (only one left)
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Use up last grace login, should get control
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:No grace login available, bind should fail, and no control should be returned
.INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and get controls
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Warning has been sent, try the bind again, and recheck the expiring time
.INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:When the warning is less than the max age, we never send expiring control response
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn on sending expiring control regardless of warning
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Check expiring time again
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn off sending expiring control (restore the default setting)
.Instance slapd-standalone1 removed.


============================================================= 4 passed in 23.31 seconds ==============================================================
Comment 7 errata-xmlrpc 2017-10-19 15:11:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2932