Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
+++ This bug was initially created as a clone of Bug #2115475 +++
Description of problem:
Cloned from https://pagure.io/freeipa/issue/9212
The nightly test test_user.py::test_user::test_password_expiration_notification is failing, see PR #1917 with the following logs and report.
Test scenario (all the steps are done using the Gui):
* Modify ipa config through the Gui (IPA Server > Configuration) with Password Expiration Notification = 15 days
* Create a user
* Create a group
* Add the user to the group
* Create a password policy for the group
* Set Password Max life = 7 days, Password Min Life = 0
* As admin, reset the user password. Logout.
* Login to the Gui as the new user. As the password was administratively reset, the user is prompted to reset his password
The defaults are tricky
For grace -1 means disabled and this is the default in the global policy.
0 means no grace logins are allowed.
A group policy defaults to being empty. Empty values are treated as 0.
So a new group policy will not allow grace logins.
group policies have never inherited values from the global policy.
Range values for passwordgracelimit are:
-1 : password grace checking is disabled
0 : no grace BIND are allowed at all post-expiration
1..MAXINT: the number of BIND allowed post-expiration
The default value for the global policy on install/upgrade will be -1 to
retain existing behavior.
New group password policies will default to -1 to retain previous
behavior.
Existing group policies with no grace limit set are updated to use
the default unlimited value, -1. This is done because lack of value in
LDAP is treated as 0 so any existing group policies would not allow
post-expiration BIND so this will avoid confusion.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:7988