Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1464505

Summary: password expired control not sent during grace logins.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.4CC: amsharma, brubisch, gparente, msauton, nkinder, rmeggins, tbordaz
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-4.el7 Doc Type: Bug Fix
Doc Text:
Directory Server now sends the password expired control during grace logins Previously, Directory Server did not send the expired password control when an expired password had grace logins left. Consequently, clients could not tell the user that the password was expired or how many grace logins were left. The problem has been fixed. As a result, clients can now tell the user if a password is expired and how many grace logins remain.
 Story Points: ---
Clone Of:
: 1492830 (view as bug list) Environment:
Last Closed: 2018-04-10 14:18:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1492830    

Description German Parente 2017-06-23 15:20:16 UTC 
Description of problem:

when the password is already expired and user is doing grace logins, the password expired control is not returned.

Customer has this password policy configuration:


Here the applying policy:
dn: cn=magwien,cn=Password Policies,dc=magwien,dc=gv,dc=at
passwordMaxFailure: 10
passwordAdminDN: cn=magwien passwordAdmins,dc=magwien,dc=gv,dc=at
passwordMustChange: on
description: Standard Password Policy as in Active Directory
objectClass: passwordpolicy
objectClass: extensibleobject
objectClass: LDAPsubentry
objectClass: top
passwordStorageScheme: SSHA512
passwordTrackUpdateTime: off
passwordChange: on
passwordExp: on
passwordMinAge: 0
passwordWarning: 1209600
passwordMaxAge: 7776000
passwordCheckSyntax: on
passwordInHistory: 24
passwordMinLength: 8
passwordMinAlphas: 0
passwordMinDigits: 0
passwordMinSpecials: 0
passwordMinLowers: 0
passwordMinUppers: 0
passwordMin8bit: 0
passwordMinCategories: 1
passwordMaxRepeats: 0
passwordMinTokenLength: 64
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 1800
passwordResetDuration: 1800
passwordResetFailureCount: 1800
passwordGraceLimit: 10
cn: magwien
passwordHistory: on


Version-Release number of selected component (if applicable): 

389-ds-base-1.3.5.10-21.el7


How reproducible:

password is expired during grace logins but the password expired control is not returned.




Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 13 mreynolds 2017-09-18 16:25:37 UTC 
Fixed upstream 

https://pagure.io/389-ds-base/issue/49327
Comment 17 Amita Sharma 2017-10-24 09:18:28 UTC 
389-ds-base: 1.3.7.5-6.el7
nss: 3.33.0-2.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 4 items                                                                                                                                     

pwdPolicy_controls_test.py::test_pwd_must_change OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with paswordMustChange set to "on"
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Reset userpassword as Directory Manager
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind should return ctrl with error code 2 (changeAfterReset)
PASSED
pwdPolicy_controls_test.py::test_pwd_expired_grace_limit INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with grace limit set tot 2
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and wait for it to expire
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind and use up one grace login (only one left)
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Use up last grace login, should get control
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:No grace login available, bind should fail, and no control should be returned
PASSED
pwdPolicy_controls_test.py::test_pwd_expiring_with_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and get controls
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Warning has been sent, try the bind again, and recheck the expiring time
PASSED
pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:When the warning is less than the max age, we never send expiring control response
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn on sending expiring control regardless of warning
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Check expiring time again
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn off sending expiring control (restore the default setting)
PASSEDInstance slapd-standalone1 removed.


============================================================= 4 passed in 27.07 seconds ==============================================================
Comment 20 errata-xmlrpc 2018-04-10 14:18:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811