Bug 2193060
| Summary: | IdM password policy undefined maxlife does not unset password expiration | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Sunny Wu <suwu> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | NEW --- | QA Contact: | ipa-qe |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sunny Wu
2023-05-04 07:17:02 UTC
There is a default 90-day expiration policy if maxlife is not explicitly defined in the password policy. We can update the pwpolicy module built-in help to reflect this. 90 days = 2160 (90 x 24) hours. If maxlife is undefined, then default 90 will apply. It is still not quite right... # ipa pwpolicy-mod ipausers --maxlife=1 --minlife=25 ipa: ERROR: invalid 'maxlife': Maximum password life must be equal to or greater than the minimum. # ipa pwpolicy-mod ipausers --maxlife=90 --minlife=2161 ipa: ERROR: invalid 'maxlife': Maximum password life must be equal to or greater than the minimum. # ipa pwpolicy-mod ipausers --minlife=2161 Group: ipausers Min lifetime (hours): 2161 Priority: 10 Grace login limit: -1 (In reply to Rob Crittenden from comment #1) > There is a default 90-day expiration policy if maxlife is not explicitly > defined in the password policy. > > We can update the pwpolicy module built-in help to reflect this. Please include usage for both zero and NULL value. Further testing found that there is discrepancy when applying the default value:
1. User changes its password using `passwd`
2. User changes its password using `ipa user-mod --password <user>`
When maxlife is NULL, 90 days will apply in (#1), but unset in (#2). Behaviour of command line `ipa` and WebUI is identical.
# ipa pwpolicy-show --user=bob
Group: ipausers
Grace login limit: -1
=====
$ id
uid=1404800003(bob) gid=1404800003(bob) groups=1404800003(bob) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ klist
Ticket cache: KCM:1404800003:16132
Default principal: bob@<...>
Valid starting Expires Service principal
05/09/23 15:09:08 05/10/23 14:38:09 HTTP/node-0.<...>@<...>
05/09/23 15:09:04 05/10/23 14:38:09 krbtgt/<...>@<...>
$ passwd
Changing password for user bob.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
$ ipa user-show bob --all
dn: uid=bob,cn=users,cn=accounts,dc=<...>
User login: bob
First name: Bob
Last name: User
Full name: Bob User
Display name: Bob User
Initials: BU
Home directory: /home/bob
GECOS: Bob User
Login shell: /bin/sh
Principal name: bob@<...>
Principal alias: bob@<...>
User password expiration: 20230807051439Z <<<<<=====
Email address: bob@<...>
UID: 1404800003
GID: 1404800003
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-<...>
ipauniqueid: 61c13ac8-<...>
krblastpwdchange: 20230509051439Z
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
$ ipa user-mod --password bob
Password:
Enter Password again to verify:
-------------------
Modified user "bob"
-------------------
User login: bob
First name: Bob
Last name: User
Home directory: /home/bob
Login shell: /bin/sh
Principal name: bob@<...>
Principal alias: bob@<...>
Email address: bob@<...>
UID: 1404800003
GID: 1404800003
Account disabled: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
$ ipa user-show bob --all
dn: uid=bob,cn=users,cn=accounts,dc=<...>
User login: bob
First name: Bob
Last name: User
Full name: Bob User
Display name: Bob User
Initials: BU
Home directory: /home/bob
GECOS: Bob User
Login shell: /bin/sh
Principal name: bob@<...>
Principal alias: bob@<...>
Email address: bob@<...>
UID: 1404800003
GID: 1404800003
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-<...>
ipauniqueid: 61c13ac8-<...>
krblastpwdchange: 20230509052130Z
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
$ passwd
Changing password for user bob.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
$ ipa user-show bob --all
dn: uid=bob,cn=users,cn=accounts,dc=<...>
User login: bob
First name: Bob
Last name: User
Full name: Bob User
Display name: Bob User
Initials: BU
Home directory: /home/bob
GECOS: Bob User
Login shell: /bin/sh
Principal name: bob@<...>
Principal alias: bob@<...>
User password expiration: 20230807052332Z <<<<<=====
Email address: bob@<...>
UID: 1404800003
GID: 1404800003
Account disabled: False
Preserved user: False
Password: True
Member of groups: ipausers
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-<...>
ipauniqueid: 61c13ac8-<...>
krblastpwdchange: 20230509052332Z
objectclass: top, person, organizationalperson, inetorgperson, inetuser,
posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject,
ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuseratt
The difference is the paths that passwd vs ipa passwd take. passwd goes through as a Kerberos password change and ipa passwd is done via LDAP. The backends are necessarily different. The LDAP policy code treats a non-existent value as 0 and Kerberos defaults to 90. I propose the LDAP code also default to 90 if no value is set but still honor if 0 is. And document the 90-day default. Thank you. Please also review issue described in "comment 2" that "ipa pwpolicy-mod" allows the implicit (default) value of 90 to be added. @rcritten I just wanted to point out the issue more explicit. One of the constraints is: maxlife must be greater than or equal to minlife. The first command is declined - OK. The second command was executed successfully - Not OK. As "maxlife" has a default value of "90", two commands should have identical effect. However, the latter command does not evaluate default value if omitted, and the constraint is circumvented. (In reply to Sunny Wu from comment #2) > 90 days = 2160 (90 x 24) hours. > > # ipa pwpolicy-mod ipausers --maxlife=90 --minlife=2161 > ipa: ERROR: invalid 'maxlife': Maximum password life must be equal to or > greater than the minimum. > > # ipa pwpolicy-mod ipausers --minlife=2161 > Group: ipausers > Min lifetime (hours): 2161 > Priority: 10 > Grace login limit: -1 Right. Since maxlife is treated as having a default value in the plugin it needs to be an explicit default value in all group policies. This may be disruptive to existing installs that have relied on the old behavior though. |