Bug 1612543

Summary: Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount.
Product: Red Hat Enterprise Linux 7 Reporter: Têko Mihinto <tmihinto>
Component: nss-pam-ldapdAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.7CC: arthur, ekeck, fdvorak, jhrozek, msugaya, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: nss-pam-ldapd-0.8.13-22.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 20:03:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Têko Mihinto 2018-08-05 14:18:55 UTC 
Description of problem:

On RHEL 7.x, nslcd doesn't seem to send the password expiration notification if the LDAP user doesn't have the objectClass "shadowAccount".

At the customer site with RHEL 6.x,  the notification is sent regardless of the presence of the objectClass "shadowAccount".


Version-Release number of selected component (if applicable):

# rpm -qa | grep nss-pam-ldapd-
nss-pam-ldapd-0.8.13-16.el7.x86_64
#


How reproducible:

Always.


Steps to Reproduce:

1. Add the following LDAP users to an RHDS instance:

User with the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=tmorris,ou=People,o=Test
cn: Ted Morris
sn: Morris
givenName: Ted
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: Accounting
ou: People
l: Santa Clara
uid: tmorris
mail: tmorris
telephoneNumber: +1 408 555 9187
facsimileTelephoneNumber: +1 408 555 8473
roomNumber: 4117
userPassword: password
manager: uid=dmiller,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 23456
homeDirectory: /home/tmorris
shadowLastChange: 17748
shadowMax: 10
shadowWarning: 10
+++++++++++++++++++++++++++++++

User without the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=abarnes,ou=People,o=Test
cn: Anne-Louise Barnes
sn: Barnes
givenName: Anne-Louise
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Payroll
ou: People
l: Santa Clara
uid: abarnes
mail: abarnes
telephoneNumber: +1 408 555 9445
facsimileTelephoneNumber: +1 408 555 4661
roomNumber: 2290
userPassword: password
manager: uid=abergin,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 10002
gidNumber: 23456
homeDirectory: /home/abarnes
+++++++++++++++++++++++++++++++


2. Edit the nslcd.conf file to configure the connection settings to the LDAP server

3. Configure the RHDS instance to send the password expiration notification:
+++++++++++++++++++++++++++++++
passwordExp: on
passwordMaxAge: 864000
passwordWarning: 864000
passwordSendExpiringTime: on
+++++++++++++++++++++++++++++++

4. Check that the notifications are sent when using the relevant LDAP control:

# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=abarnes,ou=People,o=Test" -W "uid=abarnes"  -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 863979 seconds)
dn: uid=abarnes,ou=People,o=Test

#
# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=tmorris,ou=People,o=Test" -W "uid=tmorris" -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 861552 seconds)
dn: uid=tmorris,ou=People,o=Test

#

5. SSH to the localhost and check whether the notifications are sent or not:

# ssh abarnes@localhost
abarnes@localhost's password:
Last login: Sun Aug  5 16:07:45 2018 from localhost
-bash-4.2$
-bash-4.2$ exit
logout
Connection to localhost closed.
#
# ssh tmorris@localhost
tmorris@localhost's password:
password will expire in 10 days
Last login: Sun Aug  5 16:07:55 2018 from localhost
-bash-4.2$


Actual results:

The notification is sent only for the user that has the objectClass "shadowAccount".


Expected results:

Customer expects the same behavior as with RHEL 6.x ie the notifications are sent
even if the objectClass "shadowAccount" is not present.

Additional info:
Comment 5 Arthur de Jong 2018-08-05 14:56:36 UTC 
Password policy handling (the information that ldapsearch uses) was implemented in nss-pam-ldapd 0.9.0. Before that, only the information in shadow attributes was used.

Note that a number of fixes and improvements were made in the password policy handling since, the last one in 0.9.7. While it is probably possible to backport the changes to 0.8 this will be some work and the 0.9 series has been quite stable for a number of years now.
Comment 6 Têko Mihinto 2018-08-06 14:53:30 UTC 
Hi Arthur,

Thank you for the quick update!

I have tested with version 0.9.8-1 and the notification is sent in both cases ( with or without the objectClass ShadowAccount ).

# rpm -qa | grep nss-pam-ldapd
nss-pam-ldapd-0.9.8-1.gf.el7.x86_64
#

* User with the objectClass ShadowAccount:

# ssh tmorris@localhost
tmorris@localhost's password:
Warning: your password will expire in 9 days
password will expire in 9 days
Last login: Mon Aug  6 13:09:47 2018 from localhost
-bash-4.2$


* User without the objectClass ShadowAccount:

# ssh abarnes@localhost
abarnes@localhost's password:
Password will expires in 8 days
Last login: Mon Aug  6 13:01:48 2018 from localhost
-bash-4.2$


NOTE:
======

It would be nice to get the same message in both cases by fixing a couple of typos:
a) Use a capital case for the P in "password" ( password will ... )
b) Remove the s in "expires" ( Password will expires in ...)

Best regards,
Têko.
Comment 7 Arthur de Jong 2018-08-06 17:43:17 UTC 
Thanks for the improvements, fixed in https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8b16407408ae2caef46ffef3abbc59266f476ba (will be in the next release).

The reason the expiry is noted twice in the case with shadowAccount is probably because pam_unix also picks up the shadow attributes. Also the expiry message from the password policy probably gets lost in that case because it is overwritten by the shadow attribute message.
Comment 10 Jakub Hrozek 2019-08-13 20:18:39 UTC 
*** Bug 1707937 has been marked as a duplicate of this bug. ***
Comment 32 errata-xmlrpc 2020-03-31 20:03:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1119