RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1024744 - Improve grace login warning against OpenLDAP server
Summary: Improve grace login warning against OpenLDAP server
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.1
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-30 10:55 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
The OpenLDAP server and the 389 Directory Server (389 DS) treat grace logins differently. 389 DS treats them as the number of grace logins left, while OpenLDAP treats them as the number of grace logins used. Currently, SSSD only handles the semantics used by 389 DS. As a result, when using OpenLDAP, the grace password warning can be incorrect.
Clone Of:
Environment:
Last Closed: 2015-04-24 11:24:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3178 0 None None None 2020-05-02 17:30:34 UTC

Description Kaushik Banerjee 2013-10-30 10:55:32 UTC
Description of problem:
Improve grace login warning against OpenLDAP server

Version-Release number of selected component (if applicable):
1.9.2-129

How reproducible:
Always

Steps to Reproduce:
1. On openldap server, set pwdGraceAuthNLimit to 2

2. Try to auth from another sssd client

1st Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Thu Oct 10 14:53:33 2013 from localhost
-bash-4.1$ logout

2nd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
Last login: Thu Oct 10 15:01:01 2013 from localhost
-bash-4.1$ logout

3rd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Password expired. Change your password now. <== Should have shown 0 grace login 
Last login: Thu Oct 10 15:01:16 2013 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuuser.
Current Password:


Actual results:
3rd attempt shows password expired.

Expected results:
3rd attempt against 389-ds server shows 0 grace login remains. There should be consistency against openldap server too.

Additional info:

Comment 2 Jakub Hrozek 2013-10-31 11:37:25 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2136

Comment 3 Jakub Hrozek 2013-11-06 16:39:29 UTC
Reproposing to 7.1 as agreed on last Thursday's meeting.

Comment 6 Martin Kosek 2015-04-24 11:24:30 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.


Note You need to log in before you can comment on or make changes to this bug.