Bug 1024744 - Improve grace login warning against OpenLDAP server
Improve grace login warning against OpenLDAP server
Status: CLOSED DEFERRED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 7.1
Assigned To: SSSD Maintainers
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 06:55 EDT by Kaushik Banerjee
Modified: 2015-04-24 07:24 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
The OpenLDAP server and the 389 Directory Server (389 DS) treat grace logins differently. 389 DS treats them as the number of grace logins left, while OpenLDAP treats them as the number of grace logins used. Currently, SSSD only handles the semantics used by 389 DS. As a result, when using OpenLDAP, the grace password warning can be incorrect.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-24 07:24:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2013-10-30 06:55:32 EDT
Description of problem:
Improve grace login warning against OpenLDAP server

Version-Release number of selected component (if applicable):
1.9.2-129

How reproducible:
Always

Steps to Reproduce:
1. On openldap server, set pwdGraceAuthNLimit to 2

2. Try to auth from another sssd client

1st Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 2 grace login(s) remaining.
Last login: Thu Oct 10 14:53:33 2013 from localhost
-bash-4.1$ logout

2nd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Your password has expired. You have 1 grace login(s) remaining.
Last login: Thu Oct 10 15:01:01 2013 from localhost
-bash-4.1$ logout

3rd Attempt:
# ssh -l tuuser localhost
tuuser@localhost's password:
Password expired. Change your password now. <== Should have shown 0 grace login 
Last login: Thu Oct 10 15:01:16 2013 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuuser.
Current Password:


Actual results:
3rd attempt shows password expired.

Expected results:
3rd attempt against 389-ds server shows 0 grace login remains. There should be consistency against openldap server too.

Additional info:
Comment 2 Jakub Hrozek 2013-10-31 07:37:25 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2136
Comment 3 Jakub Hrozek 2013-11-06 11:39:29 EST
Reproposing to 7.1 as agreed on last Thursday's meeting.
Comment 6 Martin Kosek 2015-04-24 07:24:30 EDT
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.