Bug 537358 - RHEL ldap clients are not showing password expiry warning
RHEL ldap clients are not showing password expiry warning
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Ondrej Moriš
:
Depends On:
Blocks: 637190
  Show dependency treegraph
 
Reported: 2009-11-13 04:52 EST by Masahiro Matsuya
Modified: 2011-01-13 18:32 EST (History)
6 users (show)

See Also:
Fixed In Version: nss_ldap-253-33.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 637190 (view as bug list)
Environment:
Last Closed: 2011-01-13 18:32:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 407 None None None Never

  None (edit)
Description Masahiro Matsuya 2009-11-13 04:52:01 EST
Description of problem:

When the value of the control 1.3.6.1.4.1.42.2.27.8.5.1 in the LDAP packet was less than 86400, the password expiry warning was not outputed.

In case of this customer, it was 3007A005800301486E.

3007A005800301486E is parsed as below.

 30  LBER_SEQUENCE
 07  
 A0  PPOLICY_WARNING
 05
 80  PPOLICY_EXPIRE
 03
 01486E (= 84078)

So, the time to expire the password was 84078 seconds. 84078 is less than SECSPERDAY (is defined as 86400). The condition of the following (X) is false, and the warning is not outputed.

--------------------------------------
pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, int argc, const char **argv)
{
 ...
 if (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED)
   {
     if (session->info->shadow.warn > 0)       /* shadowAccount */
       ...
     else
       {
         expirein = session->info->password_expiration_time / SECSPERDAY;
       }
     if (expirein > 0)         ............. (X)
       {
         snprintf (buf, sizeof buf,
                   "Your LDAP password will expire in %ld day%s....
--------------------------------------


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 5.4
nss_ldap-253-21.el5

How reproducible:
Always

Steps to Reproduce:
1. register the test user to Sun DS 6.1 (But, this can occur even with RHDS.)
2. configure a password policy for the test user
3. configure the user authentication with ldap on RHEL5 box
4. login into RHEL 5 box with a user whose password is about to expire.

Actual results:
No password expiry warning displayed at login.

Expected results:
User should get a password expiry warning -
----
ssh jsmith@10.65.209.216
jsmith@10.65.209.216's password:
Your LDAP password will expire in 1 day.
Last login: Wed Oct  7 16:26:25 2009

Additional info:
Comment 13 errata-xmlrpc 2011-01-13 18:32:17 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0097.html

Note You need to log in before you can comment on or make changes to this bug.