Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 1464505 - password expired control not sent during grace logins.
password expired control not sent during grace logins.
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
All Linux
high Severity urgent
: rc
: ---
Assigned To: mreynolds
Viktor Ashirov
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1492830
  Show dependency treegraph
Reported: 2017-06-23 11:20 EDT by German Parente
Modified: 2018-04-10 10:19 EDT (History)
7 users (show)

See Also:
Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Directory Server now sends the password expired control during grace logins Previously, Directory Server did not send the expired password control when an expired password had grace logins left. Consequently, clients could not tell the user that the password was expired or how many grace logins were left. The problem has been fixed. As a result, clients can now tell the user if a password is expired and how many grace logins remain.
Story Points: ---
Clone Of:
: 1492830 (view as bug list)
Last Closed: 2018-04-10 10:18:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0811 None None None 2018-04-10 10:19 EDT

  None (edit)
Description German Parente 2017-06-23 11:20:16 EDT
Description of problem:

when the password is already expired and user is doing grace logins, the password expired control is not returned.

Customer has this password policy configuration:

Here the applying policy:
dn: cn=magwien,cn=Password Policies,dc=magwien,dc=gv,dc=at
passwordMaxFailure: 10
passwordAdminDN: cn=magwien passwordAdmins,dc=magwien,dc=gv,dc=at
passwordMustChange: on
description: Standard Password Policy as in Active Directory
objectClass: passwordpolicy
objectClass: extensibleobject
objectClass: LDAPsubentry
objectClass: top
passwordStorageScheme: SSHA512
passwordTrackUpdateTime: off
passwordChange: on
passwordExp: on
passwordMinAge: 0
passwordWarning: 1209600
passwordMaxAge: 7776000
passwordCheckSyntax: on
passwordInHistory: 24
passwordMinLength: 8
passwordMinAlphas: 0
passwordMinDigits: 0
passwordMinSpecials: 0
passwordMinLowers: 0
passwordMinUppers: 0
passwordMin8bit: 0
passwordMinCategories: 1
passwordMaxRepeats: 0
passwordMinTokenLength: 64
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 1800
passwordResetDuration: 1800
passwordResetFailureCount: 1800
passwordGraceLimit: 10
cn: magwien
passwordHistory: on

Version-Release number of selected component (if applicable): 


How reproducible:

password is expired during grace logins but the password expired control is not returned.

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 13 mreynolds 2017-09-18 12:25:37 EDT
Fixed upstream 

Comment 17 Amita Sharma 2017-10-24 05:18:28 EDT
nss: 3.33.0-2.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 4 items                                                                                                                                     

pwdPolicy_controls_test.py::test_pwd_must_change OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with paswordMustChange set to "on"
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Reset userpassword as Directory Manager
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind should return ctrl with error code 2 (changeAfterReset)
pwdPolicy_controls_test.py::test_pwd_expired_grace_limit INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with grace limit set tot 2
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and wait for it to expire
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind and use up one grace login (only one left)
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Use up last grace login, should get control
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:No grace login available, bind should fail, and no control should be returned
pwdPolicy_controls_test.py::test_pwd_expiring_with_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and get controls
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Warning has been sent, try the bind again, and recheck the expiring time
pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:When the warning is less than the max age, we never send expiring control response
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn on sending expiring control regardless of warning
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Check expiring time again
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn off sending expiring control (restore the default setting)
PASSEDInstance slapd-standalone1 removed.

============================================================= 4 passed in 27.07 seconds ==============================================================
Comment 20 errata-xmlrpc 2018-04-10 10:18:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.