Bug 2110014

Summary: ldap bind occurs when admin user changes password with gracelimit=0
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 9.1CC: ipa-qe, rcritten, sumenon, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.0-6.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2109236 Environment:
Last Closed: 2022-11-15 10:00:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2109236    
Bug Blocks: 2091421    

Description Rob Crittenden 2022-07-22 18:09:40 UTC 
+++ This bug was initially created as a clone of Bug #2109236 +++

Description of problem: ldap bind occurs when admin user changes password with  gracelimit=0

Version-Release number of selected component (if applicable):
ipa-server-4.9.10-4.module+el8.7.0+15926+daa9f08b.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. ipa user-add user1 --first=user1 --last=s
2. ipa passwd user1
3. ipa pwpolicy-mod --gracelimit=0
4. Now run ldap bind.

Actual results:
When password for the ipa user is changed by an administrator the grace period is set to 0.
It allows bind.
[root@server ~]# ldapsearch -LLL -x -D 'uid=user1,cn=users,cn=accounts,dc=rhel87,dc=test' -W -e ppolicy -b uid=user1,cn=users,cn=accounts,dc=rhel87,dc=test dn  -v
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
filter: (objectclass=*)
requesting: dn 
dn: uid=user1,cn=users,cn=accounts,dc=rhel87,dc=test

Expected results:
With Grace Period Value=0 All LDAP BIND on expired passwords are denied
Basically -1 and 0 values are behaving the same.

Additional info:

--- Additional comment from Rob Crittenden on 2022-07-20 18:11:17 UTC ---

Cloned upstream to https://pagure.io/freeipa/issue/9206
Comment 2 Rob Crittenden 2022-08-01 13:26:35 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/4105fee2cf9db4deddbdfd6b2058e077364aa679
Comment 3 Rob Crittenden 2022-08-01 17:04:51 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/1316cd8b2252c2543cf2ef2186956a8833037b1e
Comment 10 errata-xmlrpc 2022-11-15 10:00:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988