1464505 – password expired control not sent during grace logins.

Bug 1464505 - password expired control not sent during grace logins.

Summary: password expired control not sent during grace logins.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1492830
TreeView+	depends on / blocked

Reported:	2017-06-23 15:20 UTC by German Parente
Modified:	2020-12-14 08:56 UTC (History)
CC List:	7 users (show)
Fixed In Version:	389-ds-base-1.3.7.5-4.el7
Doc Type:	Bug Fix
Doc Text:	Directory Server now sends the password expired control during grace logins Previously, Directory Server did not send the expired password control when an expired password had grace logins left. Consequently, clients could not tell the user that the password was expired or how many grace logins were left. The problem has been fixed. As a result, clients can now tell the user if a password is expired and how many grace logins remain.
Clone Of:
Clones:	1492830 (view as bug list)
Environment:
Last Closed:	2018-04-10 14:18:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2386	0	None	None	None	2020-09-13 22:01:36 UTC
Red Hat Product Errata	RHBA-2018:0811	0	None	None	None	2018-04-10 14:19:11 UTC

Description German Parente 2017-06-23 15:20:16 UTC

Description of problem:

when the password is already expired and user is doing grace logins, the password expired control is not returned.

Customer has this password policy configuration:


Here the applying policy:
dn: cn=magwien,cn=Password Policies,dc=magwien,dc=gv,dc=at
passwordMaxFailure: 10
passwordAdminDN: cn=magwien passwordAdmins,dc=magwien,dc=gv,dc=at
passwordMustChange: on
description: Standard Password Policy as in Active Directory
objectClass: passwordpolicy
objectClass: extensibleobject
objectClass: LDAPsubentry
objectClass: top
passwordStorageScheme: SSHA512
passwordTrackUpdateTime: off
passwordChange: on
passwordExp: on
passwordMinAge: 0
passwordWarning: 1209600
passwordMaxAge: 7776000
passwordCheckSyntax: on
passwordInHistory: 24
passwordMinLength: 8
passwordMinAlphas: 0
passwordMinDigits: 0
passwordMinSpecials: 0
passwordMinLowers: 0
passwordMinUppers: 0
passwordMin8bit: 0
passwordMinCategories: 1
passwordMaxRepeats: 0
passwordMinTokenLength: 64
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 1800
passwordResetDuration: 1800
passwordResetFailureCount: 1800
passwordGraceLimit: 10
cn: magwien
passwordHistory: on


Version-Release number of selected component (if applicable): 

389-ds-base-1.3.5.10-21.el7


How reproducible:

password is expired during grace logins but the password expired control is not returned.




Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 13 mreynolds 2017-09-18 16:25:37 UTC

Fixed upstream 

https://pagure.io/389-ds-base/issue/49327

Comment 17 Amita Sharma 2017-10-24 09:18:28 UTC

389-ds-base: 1.3.7.5-6.el7
nss: 3.33.0-2.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-5.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/suites/password, inifile:
plugins: metadata-1.5.0, html-1.16.0
collected 4 items                                                                                                                                     

pwdPolicy_controls_test.py::test_pwd_must_change OK group dirsrv exists
OK user dirsrv exists
INFO:lib389.topologies:Instance with parameters {'ldap-port': 38901, 'suffix': 'dc=example,dc=com', 'krb5_realm': None, 'deployed-dir': '/usr', 'inst-backupdir': '/tmp', 'hostname': 'localhost', 'server-id': 'standalone1', 'root-pw': 'password', 'root-dn': 'cn=Directory Manager', 'group-id': None, 'InstScriptsEnabled': None, 'user-id': None, 'ldap-secureport': None} was created.
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with paswordMustChange set to "on"
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Reset userpassword as Directory Manager
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind should return ctrl with error code 2 (changeAfterReset)
PASSED
pwdPolicy_controls_test.py::test_pwd_expired_grace_limit INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy with grace limit set tot 2
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and wait for it to expire
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Bind and use up one grace login (only one left)
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Use up last grace login, should get control
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:No grace login available, bind should fail, and no control should be returned
PASSED
pwdPolicy_controls_test.py::test_pwd_expiring_with_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Change password and get controls
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Warning has been sent, try the bind again, and recheck the expiring time
PASSED
pwdPolicy_controls_test.py::test_pwd_expiring_with_no_warning INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Configure password policy
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:When the warning is less than the max age, we never send expiring control response
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn on sending expiring control regardless of warning
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Check expiring time again
INFO:dirsrvtests.tests.suites.password.pwdPolicy_controls_test:Turn off sending expiring control (restore the default setting)
PASSEDInstance slapd-standalone1 removed.


============================================================= 4 passed in 27.07 seconds ==============================================================

Comment 20 errata-xmlrpc 2018-04-10 14:18:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811

Note You need to log in before you can comment on or make changes to this bug.