1612543 – Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1612543 - Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount.

Summary: Password expiration notification is not sent if the LDAP user doesn't have th...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss-pam-ldapd
Sub Component:
Version:	7.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Halman
QA Contact:	Filip Dvorak
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Duplicates (1):	1707937 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-05 14:18 UTC by Têko Mihinto
Modified:	2023-09-07 19:18 UTC (History)
CC List:	6 users (show)
Fixed In Version:	nss-pam-ldapd-0.8.13-22.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-31 20:03:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SSSD-1177	0	None	None	None	2023-09-07 19:18:37 UTC
Red Hat Product Errata	RHBA-2020:1119	0	None	None	None	2020-03-31 20:03:22 UTC

Description Têko Mihinto 2018-08-05 14:18:55 UTC

Description of problem:

On RHEL 7.x, nslcd doesn't seem to send the password expiration notification if the LDAP user doesn't have the objectClass "shadowAccount".

At the customer site with RHEL 6.x,  the notification is sent regardless of the presence of the objectClass "shadowAccount".


Version-Release number of selected component (if applicable):

# rpm -qa | grep nss-pam-ldapd-
nss-pam-ldapd-0.8.13-16.el7.x86_64
#


How reproducible:

Always.


Steps to Reproduce:

1. Add the following LDAP users to an RHDS instance:

User with the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=tmorris,ou=People,o=Test
cn: Ted Morris
sn: Morris
givenName: Ted
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: Accounting
ou: People
l: Santa Clara
uid: tmorris
mail: tmorris
telephoneNumber: +1 408 555 9187
facsimileTelephoneNumber: +1 408 555 8473
roomNumber: 4117
userPassword: password
manager: uid=dmiller,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 23456
homeDirectory: /home/tmorris
shadowLastChange: 17748
shadowMax: 10
shadowWarning: 10
+++++++++++++++++++++++++++++++

User without the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=abarnes,ou=People,o=Test
cn: Anne-Louise Barnes
sn: Barnes
givenName: Anne-Louise
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Payroll
ou: People
l: Santa Clara
uid: abarnes
mail: abarnes
telephoneNumber: +1 408 555 9445
facsimileTelephoneNumber: +1 408 555 4661
roomNumber: 2290
userPassword: password
manager: uid=abergin,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 10002
gidNumber: 23456
homeDirectory: /home/abarnes
+++++++++++++++++++++++++++++++


2. Edit the nslcd.conf file to configure the connection settings to the LDAP server

3. Configure the RHDS instance to send the password expiration notification:
+++++++++++++++++++++++++++++++
passwordExp: on
passwordMaxAge: 864000
passwordWarning: 864000
passwordSendExpiringTime: on
+++++++++++++++++++++++++++++++

4. Check that the notifications are sent when using the relevant LDAP control:

# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=abarnes,ou=People,o=Test" -W "uid=abarnes"  -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 863979 seconds)
dn: uid=abarnes,ou=People,o=Test

#
# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=tmorris,ou=People,o=Test" -W "uid=tmorris" -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 861552 seconds)
dn: uid=tmorris,ou=People,o=Test

#

5. SSH to the localhost and check whether the notifications are sent or not:

# ssh abarnes@localhost
abarnes@localhost's password:
Last login: Sun Aug  5 16:07:45 2018 from localhost
-bash-4.2$
-bash-4.2$ exit
logout
Connection to localhost closed.
#
# ssh tmorris@localhost
tmorris@localhost's password:
password will expire in 10 days
Last login: Sun Aug  5 16:07:55 2018 from localhost
-bash-4.2$


Actual results:

The notification is sent only for the user that has the objectClass "shadowAccount".


Expected results:

Customer expects the same behavior as with RHEL 6.x ie the notifications are sent
even if the objectClass "shadowAccount" is not present.

Additional info:

Comment 5 Arthur de Jong 2018-08-05 14:56:36 UTC

Password policy handling (the information that ldapsearch uses) was implemented in nss-pam-ldapd 0.9.0. Before that, only the information in shadow attributes was used.

Note that a number of fixes and improvements were made in the password policy handling since, the last one in 0.9.7. While it is probably possible to backport the changes to 0.8 this will be some work and the 0.9 series has been quite stable for a number of years now.

Comment 6 Têko Mihinto 2018-08-06 14:53:30 UTC

Hi Arthur,

Thank you for the quick update!

I have tested with version 0.9.8-1 and the notification is sent in both cases ( with or without the objectClass ShadowAccount ).

# rpm -qa | grep nss-pam-ldapd
nss-pam-ldapd-0.9.8-1.gf.el7.x86_64
#

* User with the objectClass ShadowAccount:

# ssh tmorris@localhost
tmorris@localhost's password:
Warning: your password will expire in 9 days
password will expire in 9 days
Last login: Mon Aug  6 13:09:47 2018 from localhost
-bash-4.2$


* User without the objectClass ShadowAccount:

# ssh abarnes@localhost
abarnes@localhost's password:
Password will expires in 8 days
Last login: Mon Aug  6 13:01:48 2018 from localhost
-bash-4.2$


NOTE:
======

It would be nice to get the same message in both cases by fixing a couple of typos:
a) Use a capital case for the P in "password" ( password will ... )
b) Remove the s in "expires" ( Password will expires in ...)

Best regards,
Têko.

Comment 7 Arthur de Jong 2018-08-06 17:43:17 UTC

Thanks for the improvements, fixed in https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8b16407408ae2caef46ffef3abbc59266f476ba (will be in the next release).

The reason the expiry is noted twice in the case with shadowAccount is probably because pam_unix also picks up the shadow attributes. Also the expiry message from the password policy probably gets lost in that case because it is overwritten by the shadow attribute message.

Comment 10 Jakub Hrozek 2019-08-13 20:18:39 UTC

*** Bug 1707937 has been marked as a duplicate of this bug. ***

Comment 32 errata-xmlrpc 2020-03-31 20:03:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1119

Note You need to log in before you can comment on or make changes to this bug.