Bug 2115495

Summary: group password policy by default does not allow grace logins
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.0CC: frenaud, ipa-qe, pasik, rcritten, ssidhaye, sumenon, tscherf
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.0-6.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2115475 Environment:
Last Closed: 2022-11-15 10:00:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115475    
Bug Blocks: 2091421    

Description Rob Crittenden 2022-08-04 18:58:52 UTC 
+++ This bug was initially created as a clone of Bug #2115475 +++

Description of problem:

Cloned from https://pagure.io/freeipa/issue/9212

The nightly test test_user.py::test_user::test_password_expiration_notification is failing, see PR #1917 with the following logs and report.

Test scenario (all the steps are done using the Gui):

* Modify ipa config through the Gui (IPA Server > Configuration) with Password Expiration Notification = 15 days
* Create a user
* Create a group
* Add the user to the group
* Create a password policy for the group
* Set Password Max life = 7 days, Password Min Life = 0
* As admin, reset the user password. Logout.
* Login to the Gui as the new user. As the password was administratively reset, the user is prompted to reset his password

The defaults are tricky

For grace -1 means disabled and this is the default in the global policy.
0 means no grace logins are allowed.

A group policy defaults to being empty. Empty values are treated as 0.

So a new group policy will not allow grace logins.

group policies have never inherited values from the global policy.
Comment 1 Rob Crittenden 2022-08-18 21:52:43 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/b6587d3361391b15b0a3ef9b08a2f21bedcdeff7
https://pagure.io/freeipa/c/c8955a4d0a10aa8b86e1af4361245d7f71da68c8
https://pagure.io/freeipa/c/0468cc6085b92d91bebc0fa8ff0a5b1384759af5
Comment 2 Florence Blanc-Renaud 2022-08-19 06:20:14 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/434620ee342ac4767beccec647a318bfa7743dfa
https://pagure.io/freeipa/c/497a57e7a6872fa30d1855a1d91a455bfdbf9300
https://pagure.io/freeipa/c/a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b

ipa-4-10:
https://pagure.io/freeipa/c/1aa39529cda4ab9620539dbad705cedd23c21b42
https://pagure.io/freeipa/c/45e6d49b94da78cd82eb016b3266a17a1359a087
https://pagure.io/freeipa/c/de6f074538f6641fd9d84bed204a3d4d50eccbe5
Comment 3 Rob Crittenden 2022-08-19 11:58:35 UTC 
Range values for passwordgracelimit are:

-1 : password grace checking is disabled
 0 : no grace BIND are allowed at all post-expiration
 1..MAXINT: the number of BIND allowed post-expiration

The default value for the global policy on install/upgrade will be -1 to
retain existing behavior.

New group password policies will default to -1 to retain previous
behavior.

Existing group policies with no grace limit set are updated to use
the default unlimited value, -1. This is done because lack of value in
LDAP is treated as 0 so any existing group policies would not allow
post-expiration BIND so this will avoid confusion.
Comment 10 errata-xmlrpc 2022-11-15 10:00:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988