Bug 537358 - RHEL ldap clients are not showing password expiry warning
Summary: RHEL ldap clients are not showing password expiry warning
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 637190
TreeView+ depends on / blocked
 
Reported: 2009-11-13 09:52 UTC by Masahiro Matsuya
Modified: 2018-11-14 20:29 UTC (History)
6 users (show)

Fixed In Version: nss_ldap-253-33.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 637190 (view as bug list)
Environment:
Last Closed: 2011-01-13 23:32:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
PADL Software 407 0 None None None Never
Red Hat Product Errata RHBA-2011:0097 0 normal SHIPPED_LIVE nss_ldap bug fix update 2011-01-12 17:29:13 UTC

Description Masahiro Matsuya 2009-11-13 09:52:01 UTC 
Description of problem:

When the value of the control 1.3.6.1.4.1.42.2.27.8.5.1 in the LDAP packet was less than 86400, the password expiry warning was not outputed.

In case of this customer, it was 3007A005800301486E.

3007A005800301486E is parsed as below.

 30  LBER_SEQUENCE
 07  
 A0  PPOLICY_WARNING
 05
 80  PPOLICY_EXPIRE
 03
 01486E (= 84078)

So, the time to expire the password was 84078 seconds. 84078 is less than SECSPERDAY (is defined as 86400). The condition of the following (X) is false, and the warning is not outputed.

--------------------------------------
pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, int argc, const char **argv)
{
 ...
 if (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED)
   {
     if (session->info->shadow.warn > 0)       /* shadowAccount */
       ...
     else
       {
         expirein = session->info->password_expiration_time / SECSPERDAY;
       }
     if (expirein > 0)         ............. (X)
       {
         snprintf (buf, sizeof buf,
                   "Your LDAP password will expire in %ld day%s....
--------------------------------------


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 5.4
nss_ldap-253-21.el5

How reproducible:
Always

Steps to Reproduce:
1. register the test user to Sun DS 6.1 (But, this can occur even with RHDS.)
2. configure a password policy for the test user
3. configure the user authentication with ldap on RHEL5 box
4. login into RHEL 5 box with a user whose password is about to expire.

Actual results:
No password expiry warning displayed at login.

Expected results:
User should get a password expiry warning -
----
ssh jsmith.209.216
jsmith.209.216's password:
Your LDAP password will expire in 1 day.
Last login: Wed Oct  7 16:26:25 2009

Additional info:
Comment 13 errata-xmlrpc 2011-01-13 23:32:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0097.html
Note You need to log in before you can comment on or make changes to this bug.