Bug 1589144

Summary: shadowWarning is not generated if passwordWarning is lower than 86400 seconds (1 day).
Product: Red Hat Enterprise Linux 7 Reporter: Têko Mihinto <tmihinto>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.5CC: bsmejkal, gparente, mreynolds, nkinder, pasik, rmeggins, tbordaz
Target Milestone: rc   
Target Release: 7.7   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-2.el7 Doc Type: Bug Fix
Doc Text:
.Directory Server did not return the `shadowWarning` attribute if `passwordWarning` was set lower than `86400` Previously, Directory Server did not return the `shadowWarning` attribute in searches if the `passwordWarning` attribute in the `cn=config` entry was set to a value lower than `86400` seconds (1 day). This update fixes the problem. As a result, the server returns the value of the `shadowWarning` attribute in the mentioned scenario.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:58:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Têko Mihinto 2018-06-08 13:34:03 UTC 
Description of problem:

The attribute shadowWarning is not returned if the passwordWarning value is lower than 86400 seconds (1 day).


Version-Release number of selected component (if applicable):

# rpm -qa | grep 389-ds-base-
389-ds-base-debuginfo-1.3.7.5-18.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64
389-ds-base-libs-1.3.7.5-13.el7.x86_64
#

How reproducible:

Always.


Steps to Reproduce:

1. Set the passwordWarning value to 86400 or higher:

# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "cn=config" -D"cn=Directory Manager" -W -sbase passwordWarning
Enter LDAP Password:
dn: cn=config
passwordWarning: 86400

#

A search will return the shadowWarning attribute:
# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"cn=Directory Manager" -W  "uid=tmorris" shadowWarning
Enter LDAP Password:
dn: uid=tmorris,ou=People,o=Test
shadowWarning: 1

#

2. Set the passwordWarning value lower than 86400:
#  ldapmodify -x -D"cn=Directory Manager" -W -p <PORT> -h <HOST>
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: passwordWarning
passwordWarning: 86399

modifying entry "cn=config"

#

No value for is returned for shadowWarning:
# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"cn=Directory Manager" -W  "uid=tmorris" shadowWarning
Enter LDAP Password:
dn: uid=tmorris,ou=People,o=Test

#


Actual results:

shadowWarning is only generated if the passwordWarning value is higher or equal to 1 day.

Expected results:
shadowWarning should be returned as long as passwordWarning is defined.


Additional info:
Comment 3 thierry bordaz 2018-06-08 14:06:58 UTC 
IMHO it makes sense to send a warning as long as the administrator defined a no null passwordWarning (even if it is less than a day).

It should be the same for all kind of accounts (including ShadowAccount)
Comment 4 Viktor Ashirov 2018-12-14 14:07:19 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/50091
Comment 5 thierry bordaz 2018-12-14 16:58:54 UTC 
Ticket pushed upstream -> POST
Comment 7 bsmejkal 2019-03-06 11:53:20 UTC 
Bug is still reproducible.

=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.6.3, pytest-4.3.0, py-1.8.0, pluggy-0.9.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-1010.el7.x86_64-x86_64-with-redhat-7.7-Maipo', 'Packages': {'pytest': '4.3.0', 'py': '1.8.0', 'pluggy': '0.9.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.20.0'}}
389-ds-base: 1.3.9.1-1.el7
nss: 3.36.0-7.1.el7_6
nspr: 4.19.0-1.el7_5
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.8.0, html-1.20.0
collected 12 items / 11 deselected / 1 selected                                                                                                                                                                   

pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower FAILED                                                                              [100%]
========================================================================== 1 failed, 11 deselected in 10.64 seconds ==========================================================================
Comment 8 bsmejkal 2019-03-18 15:55:51 UTC 
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.6.3, pytest-4.3.1, py-1.8.0, pluggy-0.9.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-1020.el7.x86_64-x86_64-with-redhat-7.7-Maipo', 'Packages': {'pytest': '4.3.1', 'py': '1.8.0', 'pluggy': '0.9.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.20.0'}}
389-ds-base: 1.3.9.1-2.el7
nss: 3.36.0-7.1.el7_6
nspr: 4.19.0-1.el7_5
openldap: 2.4.44-21.el7_6
cyrus-sasl: 2.1.26-23.el7
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.8.0, html-1.20.0
collected 12 items / 11 deselected / 1 selected                                                                                                                                                                   

pwdPolicy_warning_test.py::test_search_shadowWarning_when_passwordWarning_is_lower PASSED                                                                                                                   [100%]
============================================================================== 1 passed, 11 deselected in 10.65 seconds ===============================================================================
Comment 12 errata-xmlrpc 2019-08-06 12:58:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152