Bug 1771439

Summary: Different password expiration message for LDAP users with and without ObjectClass ShadowAccount
Product: Red Hat Enterprise Linux 7 Reporter: Filip Dvorak <fdvorak>
Component: nss-pam-ldapdAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.8CC: jhrozek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 20:12:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Dvorak 2019-11-12 11:34:19 UTC 
Description of problem:
There is a small issue (different letter P-p) in a password expiration message for LDAP users with and without ObjectClass ShadowAccount.   

The message for a user w/o ObjectClass ShadowAccount: Password will expire in 9 days
The message for a user with objectClass ShadowAccount: password will expire in 9 days

Version-Release number of selected component (if applicable):
nss-pam-ldapd-0.8.13-22.el7.x86_64
RHEL-7.8

How reproducible:
always

Steps to Reproduce:

1. Add the following LDAP users into LDAP db:
user1 without ShadowAccount
dn: uid=user1,ou=People,dc=my-domain,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 20000
homeDirectory: /home/ldap/user1
gecos: user1
userPassword:: user1

user2 with ShadowAccount
dn: uid=user2,ou=People,dc=my-domain,dc=com
uid: user2
cn: user2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: dXNlcjI=
shadowLastChange: 18198
shadowMax: 15
shadowWarning: 10
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 20000
homeDirectory: /home/ldap/user2
gecos: user2

2.Edit the nslcd.conf file to configure the connection settings to the LDAP server and add the following option into this file "pam_authc_ppolicy YES"

3.Set ppolicy to send expiration message
pwdMinAge: 0
pwdMaxAge: 864000
pwdExpireWarning: 864000

4. Check that the notifications are sent when using the relevant LDAP control:
ldapsearch -xLLL  -h localhost -b ou=People,dc=my-domain,dc=com -D uid=user1,ou=People,dc=my-domain,dc=com -w user1 uid=user1 -e ppolicy'
ldap_bind: Success (0) (Password expires in 863999 seconds) 

ldapsearch -xLLL  -h localhost -b ou=People,dc=my-domain,dc=com -D uid=user2,ou=People,dc=my-domain,dc=com -w user2 uid=user2 -e ppolicy'
ldap_bind: Success (0) (Password expires in 800 seconds)

5.SSH to the user@localhost and check whether the notifications are sent or not:
++++++++++++++++++++++++++++++++++++
ssh user1@localhost
user1@localhost's password: 

Password will expire in 9 days
Last login: Mon Nov 11 09:09:04 2019 from localhost

++++++++++++++++++++++++++++++++++++
ssh user2@localhost
user2@localhost's password: 

expect: Password sent

Warning: your password will expire in 2 days
password will expire in 2 days

Actual results:
The message for a user w/o ObjectClass ShadowAccount: Password will expire in 9 days
The message for a user with objectClass ShadowAccount: password will expire in 2 days

Expected results:
The message about password expiration should be the same for both users (with a letter P):
Password will expire in 9 days

Additional info:
You can find configuration files (user.ldif, ppolicyrule.ldif, nslcd.conf) in the following test. Feel free to use it for checking this issue.:
TC#603962: /CoreOS/nss-pam-ldapd/Regression/bz1612543-password-expiration-is-not-send-shadowAccount
Comment 9 errata-xmlrpc 2020-09-29 20:12:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nss-pam-ldapd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3969