Bug 1612543 - Password expiration notification is not sent if the LDAP user doesn't have the objectClass shadowAccount.
Summary: Password expiration notification is not sent if the LDAP user doesn't have th...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss-pam-ldapd
Version: 7.7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Tomas Halman
QA Contact: Filip Dvorak
URL:
Whiteboard: sync-to-jira
: 1707937 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-05 14:18 UTC by Têko Mihinto
Modified: 2019-12-05 15:11 UTC (History)
6 users (show)

Fixed In Version: nss-pam-ldapd-0.8.13-22.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Têko Mihinto 2018-08-05 14:18:55 UTC
Description of problem:

On RHEL 7.x, nslcd doesn't seem to send the password expiration notification if the LDAP user doesn't have the objectClass "shadowAccount".

At the customer site with RHEL 6.x,  the notification is sent regardless of the presence of the objectClass "shadowAccount".


Version-Release number of selected component (if applicable):

# rpm -qa | grep nss-pam-ldapd-
nss-pam-ldapd-0.8.13-16.el7.x86_64
#


How reproducible:

Always.


Steps to Reproduce:

1. Add the following LDAP users to an RHDS instance:

User with the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=tmorris,ou=People,o=Test
cn: Ted Morris
sn: Morris
givenName: Ted
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
ou: Accounting
ou: People
l: Santa Clara
uid: tmorris
mail: tmorris@example.com
telephoneNumber: +1 408 555 9187
facsimileTelephoneNumber: +1 408 555 8473
roomNumber: 4117
userPassword: password
manager: uid=dmiller,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 23456
homeDirectory: /home/tmorris
shadowLastChange: 17748
shadowMax: 10
shadowWarning: 10
+++++++++++++++++++++++++++++++

User without the objectClass: shadowAccount:
+++++++++++++++++++++++++++++++
dn: uid=abarnes,ou=People,o=Test
cn: Anne-Louise Barnes
sn: Barnes
givenName: Anne-Louise
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
ou: Payroll
ou: People
l: Santa Clara
uid: abarnes
mail: abarnes@example.com
telephoneNumber: +1 408 555 9445
facsimileTelephoneNumber: +1 408 555 4661
roomNumber: 2290
userPassword: password
manager: uid=abergin,ou=People,o=Test
loginShell: /bin/bash
uidNumber: 10002
gidNumber: 23456
homeDirectory: /home/abarnes
+++++++++++++++++++++++++++++++


2. Edit the nslcd.conf file to configure the connection settings to the LDAP server

3. Configure the RHDS instance to send the password expiration notification:
+++++++++++++++++++++++++++++++
passwordExp: on
passwordMaxAge: 864000
passwordWarning: 864000
passwordSendExpiringTime: on
+++++++++++++++++++++++++++++++

4. Check that the notifications are sent when using the relevant LDAP control:

# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=abarnes,ou=People,o=Test" -W "uid=abarnes"  -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 863979 seconds)
dn: uid=abarnes,ou=People,o=Test

#
# ldapsearch -xLLL  -p <PORT> -h <HOST> -b "ou=People,o=Test" -D"uid=tmorris,ou=People,o=Test" -W "uid=tmorris" -e ppolicy 1.1
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 861552 seconds)
dn: uid=tmorris,ou=People,o=Test

#

5. SSH to the localhost and check whether the notifications are sent or not:

# ssh abarnes@localhost
abarnes@localhost's password:
Last login: Sun Aug  5 16:07:45 2018 from localhost
-bash-4.2$
-bash-4.2$ exit
logout
Connection to localhost closed.
#
# ssh tmorris@localhost
tmorris@localhost's password:
password will expire in 10 days
Last login: Sun Aug  5 16:07:55 2018 from localhost
-bash-4.2$


Actual results:

The notification is sent only for the user that has the objectClass "shadowAccount".


Expected results:

Customer expects the same behavior as with RHEL 6.x ie the notifications are sent
even if the objectClass "shadowAccount" is not present.

Additional info:

Comment 5 Arthur de Jong 2018-08-05 14:56:36 UTC
Password policy handling (the information that ldapsearch uses) was implemented in nss-pam-ldapd 0.9.0. Before that, only the information in shadow attributes was used.

Note that a number of fixes and improvements were made in the password policy handling since, the last one in 0.9.7. While it is probably possible to backport the changes to 0.8 this will be some work and the 0.9 series has been quite stable for a number of years now.

Comment 6 Têko Mihinto 2018-08-06 14:53:30 UTC
Hi Arthur,

Thank you for the quick update!

I have tested with version 0.9.8-1 and the notification is sent in both cases ( with or without the objectClass ShadowAccount ).

# rpm -qa | grep nss-pam-ldapd
nss-pam-ldapd-0.9.8-1.gf.el7.x86_64
#

* User with the objectClass ShadowAccount:

# ssh tmorris@localhost
tmorris@localhost's password:
Warning: your password will expire in 9 days
password will expire in 9 days
Last login: Mon Aug  6 13:09:47 2018 from localhost
-bash-4.2$


* User without the objectClass ShadowAccount:

# ssh abarnes@localhost
abarnes@localhost's password:
Password will expires in 8 days
Last login: Mon Aug  6 13:01:48 2018 from localhost
-bash-4.2$


NOTE:
======

It would be nice to get the same message in both cases by fixing a couple of typos:
a) Use a capital case for the P in "password" ( password will ... )
b) Remove the s in "expires" ( Password will expires in ...)

Best regards,
Têko.

Comment 7 Arthur de Jong 2018-08-06 17:43:17 UTC
Thanks for the improvements, fixed in https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8b16407408ae2caef46ffef3abbc59266f476ba (will be in the next release).

The reason the expiry is noted twice in the case with shadowAccount is probably because pam_unix also picks up the shadow attributes. Also the expiry message from the password policy probably gets lost in that case because it is overwritten by the shadow attribute message.

Comment 10 Jakub Hrozek 2019-08-13 20:18:39 UTC
*** Bug 1707937 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.