Bug 199188 - OpenLDAP with Linux Authentication - shadowMax variable not handled properly
OpenLDAP with Linux Authentication - shadowMax variable not handled properly
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2006-07-17 16:47 EDT by Michael Romero
Modified: 2015-01-07 19:13 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-17 18:52:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Romero 2006-07-17 16:47:48 EDT
Description of problem:
I have built an OpenLDAP environment for Linux System Authentication.  I just 
discovered that the shadowMax variable used within LDAP is not handled the same 
with the corresponding /etc/shadow field is handled.  I am expecting to be able 
to put in a number i.e. "30" in the shadowMax field within LDAP and have it 
mean that the password will expire 30 days from the day it was last modified.  
All of the documentation I am referencing on the net is saying that this should 
be the behavior I should be expecting as well.  What I have found is that if 
you set it to "30", it ALWAYS believes its expired because what its actually 
taking the difference from shadowLastChange and shadowMax and looking for the 
difference between those two values to determing when the password expires.  
i.e. if the last time I changed my password showed up as 13377 and that was my 
shadowLastChange value, a 30 day expiration for the shadowMax variable would 
need to be 13407.  If I create a local user, the /etc/shadow field that should 
correspond with shadowMax behaves exactly as expected.  "30" would mean 
expiring in 30 days.

Version-Release number of selected component (if applicable):
openldap-2.2.13-4 (linux system client)

How reproducible:
Every Time

Steps to Reproduce:
1.  Build an OpenLDAP environment for Linux Authentication.
2.  Create a user using the shadowAccount and account objectClasses.  
3.  Set the password using the "passwd" utility to get a valid date in 
4.  Set the shadowMax field in LDAP to "30" and attempt to login.

Actual results:
You should be prompted to change your password because your password will 
appear to have expired.

Expected results:
You should be able to login successfully and not need to change your password 
for 30 days.

Additional info:  I am also using the back-sql module with my LDAP schema and 
PostgreSQL is my backend.
Comment 1 Nalin Dahyabhai 2006-07-17 17:14:07 EDT
Can you post the output of "getent shadow username" for an affected user?  This
sounds as though pam_ldap isn't able to read all of the details from the
directory via nss_ldap, and is behaving strangely as a result...
Comment 2 Michael Romero 2006-07-17 18:38:03 EDT
hehe you were onto something when you asked that.. I hadn't used that "getent 
shadow <username>" command before and when I ran it initially, I got back..

I saw that it was only seeing the shadowMax value and not shadowLastChange.  I 
then realized that I set the userPassword and shadowLastChange values up with a 
special ACL.  I had...

access to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by * none

access to *
  by * read

This allowed the passwd command to write to the shadowLastChange attribute 
whenever a password was changed but it turns out was blocking the system from 
reading that value if it wasn't that user.. 

I changed it to this..

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none

access to attrs=shadowLastChange
  by self write
  by * read

access to *
  by * read

The output of "getent shadow <username>" now showed up with...

Tested expiration and it works as expected.  Thanks :)
Comment 3 Nalin Dahyabhai 2006-07-17 18:52:10 EDT
Excellent!  I'll mark this as not-a-bug then.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.