Bug 726456

Summary: [RFE] sssd should support Netscape LDAP password expiration controls
Product: Red Hat Enterprise Linux 6 Reporter: Joshua Roys <roysjosh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, jhrozek, jwest, prc, rmeggins
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-03 15:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 756082, 782183, 840699    
Attachments:
Description Flags
simple implementation of Netscape password warning expiration control
none
simple implementation of Netscape password warning expiration control
none
simple implementation of Netscape password warning expiration control roysjosh: review+

Description Joshua Roys 2011-07-28 16:57:34 UTC 
Description of problem:
sssd doesn't support OIDs 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5 for password expiration notification/warning.  389-ds uses these (along with the server-side password ones).


Version-Release number of selected component (if applicable):
sssd-1.5.1
Comment 2 Jakub Hrozek 2011-08-25 12:06:34 UTC 
Rich, do you know if these controls need any special treatment or behave the same as the OpenLDAP password controls?
Comment 3 Rich Megginson 2011-08-25 13:26:33 UTC 
(In reply to comment #2)
> Rich, do you know if these controls need any special treatment or behave the
> same as the OpenLDAP password controls?

I don't know.  They are pretty simple, so they might work exactly the same way as the OpenLDAP controls.
Comment 5 Stephen Gallagher 2011-08-29 12:38:48 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/984
Comment 7 Joshua Roys 2012-05-10 13:52:59 UTC 
Created attachment 583569 [details]
simple implementation of Netscape password warning expiration control

What do you think about this simple implementation?  It doesn't compare the value to any other password control warning value to see, for instance, which is smaller.  Also, if the bv_val happened to not be a null-terminated string, it would return who knows what.  But a quick test against our 389-ds setup has it correctly parsing the Netscape control (as well as the server-side password controls that are returned).  I'll add the .4 control for expired passwords if this is the right direction.
Comment 8 Stephen Gallagher 2012-05-10 16:47:34 UTC 
(In reply to comment #7)
> Created attachment 583569 [details]
> simple implementation of Netscape password warning expiration control
> 
> What do you think about this simple implementation?  It doesn't compare the
> value to any other password control warning value to see, for instance, which
> is smaller.  Also, if the bv_val happened to not be a null-terminated string,
> it would return who knows what.  But a quick test against our 389-ds setup has
> it correctly parsing the Netscape control (as well as the server-side password
> controls that are returned).  I'll add the .4 control for expired passwords if
> this is the right direction.

Thanks for the patch! Yes, I think this is probably headed in the right direction. I think you identified the same issues I would have: we need to do a better job of validating the return values, but otherwise this looks pretty good. Please feel free to add the expired passwords.
Comment 10 Joshua Roys 2012-05-14 12:55:26 UTC 
Created attachment 584357 [details]
simple implementation of Netscape password warning expiration control

This round adds a strndup/memcpy/atoi/free (along with an initial check of bv_len for suspiciously long values) to carefully get the number of seconds until password expiration out of the control.  Other alternatives might be a custom atoi-like function that took a maximum length parameter like snprintf or a libldap function that I don't know of (I didn't look too hard, to be honest).  The .3.4.4 oid for password expiration is now also handled.
Tests against our 389 server show proper return of the two controls and their handling (although I can't disable the ldap server-side password policy controls on our production servers, so those were also returned with the Netscape ones).
What do you think?  How can the patch be improved?
Comment 11 Stephen Gallagher 2012-05-14 15:08:59 UTC 
Created attachment 584385 [details]
simple implementation of Netscape password warning expiration control

(In reply to comment #10)
> Created attachment 584357 [details]
> simple implementation of Netscape password warning expiration control
> 
> This round adds a strndup/memcpy/atoi/free (along with an initial check of
> bv_len for suspiciously long values) to carefully get the number of seconds
> until password expiration out of the control.  Other alternatives might be a
> custom atoi-like function that took a maximum length parameter like snprintf or
> a libldap function that I don't know of (I didn't look too hard, to be honest).
>  The .3.4.4 oid for password expiration is now also handled.
> Tests against our 389 server show proper return of the two controls and their
> handling (although I can't disable the ldap server-side password policy
> controls on our production servers, so those were also returned with the
> Netscape ones).
> What do you think?  How can the patch be improved?

I've made a few changes. Notably: I updated all of the DEBUG messages in that function to use the new macros to be more consistent. I switched your nval conversion to use our custom strtouint32() function instead of atoi(), which is deprecated. (Please let me know if uint32_t is unacceptable here). I switched the creation of nval to use talloc_strndup() which always guarantees NULL-termination (also to stick with our convention of always using TALLOC for memory management in SSSD). I made #defines for the OIDs in a common header.

I've also submitted this revised patch for further upstream review at https://fedorahosted.org/pipermail/sssd-devel/2012-May/009794.html as per our upstream review process (https://fedorahosted.org/sssd/wiki/BugLifecycle)
Comment 12 RHEL Program Management 2012-07-10 06:13:45 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 13 RHEL Program Management 2012-07-11 02:02:52 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 14 Jenny Severance 2012-08-03 15:40:48 UTC 

*** This bug has been marked as a duplicate of bug 771412 ***
Comment 15 Joshua Roys 2015-01-21 17:16:03 UTC 
Comment on attachment 584385 [details]
simple implementation of Netscape password warning expiration control

Giving this old bug attachment a "+" since a recent bugzilla upgrade has started spamming me weekly about it.