Bug 1024744 - Improve grace login warning against OpenLDAP server
Summary: Improve grace login warning against OpenLDAP server
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.1
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-30 10:55 UTC by Kaushik Banerjee
Modified: 2015-04-24 11:24 UTC (History)
7 users (show)

(edit)
The OpenLDAP server and the 389 Directory Server (389 DS) treat grace logins differently. 389 DS treats them as the number of grace logins left, while OpenLDAP treats them as the number of grace logins used. Currently, SSSD only handles the semantics used by 389 DS. As a result, when using OpenLDAP, the grace password warning can be incorrect.
Clone Of:
(edit)
Last Closed: 2015-04-24 11:24:30 UTC


Attachments (Terms of Use)

Description Kaushik Banerjee 2013-10-30 10:55:32 UTC
Description of problem:
Improve grace login warning against OpenLDAP server

Version-Release number of selected component (if applicable):
1.9.2-129

How reproducible:
Always

Steps to Reproduce:
1. On openldap server, set pwdGraceAuthNLimit to 2

2. Try to auth from another sssd client

1st Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Thu Oct 10 14:53:33 2013 from localhost
-bash-4.1$ logout

2nd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
Last login: Thu Oct 10 15:01:01 2013 from localhost
-bash-4.1$ logout

3rd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Password expired. Change your password now. <== Should have shown 0 grace login 
Last login: Thu Oct 10 15:01:16 2013 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuuser.
Current Password:


Actual results:
3rd attempt shows password expired.

Expected results:
3rd attempt against 389-ds server shows 0 grace login remains. There should be consistency against openldap server too.

Additional info:

Comment 2 Jakub Hrozek 2013-10-31 11:37:25 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2136

Comment 3 Jakub Hrozek 2013-11-06 16:39:29 UTC
Reproposing to 7.1 as agreed on last Thursday's meeting.

Comment 6 Martin Kosek 2015-04-24 11:24:30 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.


Note You need to log in before you can comment on or make changes to this bug.