RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2115475 - group password policy by default does not allow grace logins
Summary: group password policy by default does not allow grace logins
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: ---
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: pre-dev-freeze
: ---
Assignee: Rob Crittenden
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 2115495
TreeView+ depends on / blocked
 
Reported: 2022-08-04 18:38 UTC by Rob Crittenden
Modified: 2022-11-08 10:27 UTC (History)
6 users (show)

Fixed In Version: ipa-4.9.10-6.module+el8.7.0+16405+581a7c1e
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2115495 (view as bug list)
Environment:
Last Closed: 2022-11-08 09:36:38 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-8618 0 None None None 2022-08-04 18:55:55 UTC
Red Hat Issue Tracker RHELPLAN-130330 0 None None None 2022-08-04 18:56:02 UTC
Red Hat Product Errata RHBA-2022:7540 0 None None None 2022-11-08 09:36:46 UTC

Description Rob Crittenden 2022-08-04 18:38:29 UTC 
Description of problem:

Cloned from https://pagure.io/freeipa/issue/9212

The nightly test test_user.py::test_user::test_password_expiration_notification is failing, see PR #1917 with the following logs and report.

Test scenario (all the steps are done using the Gui):

* Modify ipa config through the Gui (IPA Server > Configuration) with Password Expiration Notification = 15 days
* Create a user
* Create a group
* Add the user to the group
* Create a password policy for the group
* Set Password Max life = 7 days, Password Min Life = 0
* As admin, reset the user password. Logout.
* Login to the Gui as the new user. As the password was administratively reset, the user is prompted to reset his password

The defaults are tricky

For grace -1 means disabled and this is the default in the global policy.
0 means no grace logins are allowed.

A group policy defaults to being empty. Empty values are treated as 0.

So a new group policy will not allow grace logins.

group policies have never inherited values from the global policy.
Comment 1 Rob Crittenden 2022-08-18 21:52:37 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/b6587d3361391b15b0a3ef9b08a2f21bedcdeff7
https://pagure.io/freeipa/c/c8955a4d0a10aa8b86e1af4361245d7f71da68c8
https://pagure.io/freeipa/c/0468cc6085b92d91bebc0fa8ff0a5b1384759af5
Comment 2 Florence Blanc-Renaud 2022-08-19 06:20:09 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/434620ee342ac4767beccec647a318bfa7743dfa
https://pagure.io/freeipa/c/497a57e7a6872fa30d1855a1d91a455bfdbf9300
https://pagure.io/freeipa/c/a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b

ipa-4-10:
https://pagure.io/freeipa/c/1aa39529cda4ab9620539dbad705cedd23c21b42
https://pagure.io/freeipa/c/45e6d49b94da78cd82eb016b3266a17a1359a087
https://pagure.io/freeipa/c/de6f074538f6641fd9d84bed204a3d4d50eccbe5
Comment 3 Rob Crittenden 2022-08-19 11:58:58 UTC 
Range values for passwordgracelimit are:

-1 : password grace checking is disabled
 0 : no grace BIND are allowed at all post-expiration
 1..MAXINT: the number of BIND allowed post-expiration

The default value for the global policy on install/upgrade will be -1 to
retain existing behavior.

New group password policies will default to -1 to retain previous
behavior.

Existing group policies with no grace limit set are updated to use
the default unlimited value, -1. This is done because lack of value in
LDAP is treated as 0 so any existing group policies would not allow
post-expiration BIND so this will avoid confusion.
Comment 11 errata-xmlrpc 2022-11-08 09:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7540
Note You need to log in before you can comment on or make changes to this bug.