Description of problem: When the value of the control 1.3.6.1.4.1.42.2.27.8.5.1 in the LDAP packet was less than 86400, the password expiry warning was not outputed. In case of this customer, it was 3007A005800301486E. 3007A005800301486E is parsed as below. 30 LBER_SEQUENCE 07 A0 PPOLICY_WARNING 05 80 PPOLICY_EXPIRE 03 01486E (= 84078) So, the time to expire the password was 84078 seconds. 84078 is less than SECSPERDAY (is defined as 86400). The condition of the following (X) is false, and the warning is not outputed. -------------------------------------- pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, int argc, const char **argv) { ... if (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) { if (session->info->shadow.warn > 0) /* shadowAccount */ ... else { expirein = session->info->password_expiration_time / SECSPERDAY; } if (expirein > 0) ............. (X) { snprintf (buf, sizeof buf, "Your LDAP password will expire in %ld day%s.... -------------------------------------- Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 5.4 nss_ldap-253-21.el5 How reproducible: Always Steps to Reproduce: 1. register the test user to Sun DS 6.1 (But, this can occur even with RHDS.) 2. configure a password policy for the test user 3. configure the user authentication with ldap on RHEL5 box 4. login into RHEL 5 box with a user whose password is about to expire. Actual results: No password expiry warning displayed at login. Expected results: User should get a password expiry warning - ---- ssh jsmith.209.216 jsmith.209.216's password: Your LDAP password will expire in 1 day. Last login: Wed Oct 7 16:26:25 2009 Additional info:
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0097.html