Bug 1612543
Summary: | Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Têko Mihinto <tmihinto> |
Component: | nss-pam-ldapd | Assignee: | Tomas Halman <thalman> |
Status: | CLOSED ERRATA | QA Contact: | Filip Dvorak <fdvorak> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7 | CC: | arthur, ekeck, fdvorak, jhrozek, msugaya, pkis |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | nss-pam-ldapd-0.8.13-22.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 20:03:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Têko Mihinto
2018-08-05 14:18:55 UTC
Password policy handling (the information that ldapsearch uses) was implemented in nss-pam-ldapd 0.9.0. Before that, only the information in shadow attributes was used. Note that a number of fixes and improvements were made in the password policy handling since, the last one in 0.9.7. While it is probably possible to backport the changes to 0.8 this will be some work and the 0.9 series has been quite stable for a number of years now. Hi Arthur, Thank you for the quick update! I have tested with version 0.9.8-1 and the notification is sent in both cases ( with or without the objectClass ShadowAccount ). # rpm -qa | grep nss-pam-ldapd nss-pam-ldapd-0.9.8-1.gf.el7.x86_64 # * User with the objectClass ShadowAccount: # ssh tmorris@localhost tmorris@localhost's password: Warning: your password will expire in 9 days password will expire in 9 days Last login: Mon Aug 6 13:09:47 2018 from localhost -bash-4.2$ * User without the objectClass ShadowAccount: # ssh abarnes@localhost abarnes@localhost's password: Password will expires in 8 days Last login: Mon Aug 6 13:01:48 2018 from localhost -bash-4.2$ NOTE: ====== It would be nice to get the same message in both cases by fixing a couple of typos: a) Use a capital case for the P in "password" ( password will ... ) b) Remove the s in "expires" ( Password will expires in ...) Best regards, Têko. Thanks for the improvements, fixed in https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8b16407408ae2caef46ffef3abbc59266f476ba (will be in the next release). The reason the expiry is noted twice in the case with shadowAccount is probably because pam_unix also picks up the shadow attributes. Also the expiry message from the password policy probably gets lost in that case because it is overwritten by the shadow attribute message. *** Bug 1707937 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1119 |