726456 – [RFE] sssd should support Netscape LDAP password expiration controls

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 726456 - [RFE] sssd should support Netscape LDAP password expiration controls

Summary: [RFE] sssd should support Netscape LDAP password expiration controls

Keywords:
Status:	CLOSED DUPLICATE of bug 771412
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082 782183 840699
TreeView+	depends on / blocked

Reported:	2011-07-28 16:57 UTC by Joshua Roys
Modified:	2020-05-02 16:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-03 15:40:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
simple implementation of Netscape password warning expiration control (2.13 KB, patch) 2012-05-10 13:52 UTC, Joshua Roys	no flags	Details \| Diff
simple implementation of Netscape password warning expiration control (3.53 KB, patch) 2012-05-14 12:55 UTC, Joshua Roys	no flags	Details \| Diff
simple implementation of Netscape password warning expiration control (8.19 KB, patch) 2012-05-14 15:08 UTC, Stephen Gallagher	roysjosh: review+	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FedoraHosted SSSD	984	0	None	None	None	Never
Github	SSSD sssd issues 2026	0	None	None	None	2020-05-02 16:25:03 UTC

Description Joshua Roys 2011-07-28 16:57:34 UTC

Description of problem:
sssd doesn't support OIDs 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5 for password expiration notification/warning.  389-ds uses these (along with the server-side password ones).


Version-Release number of selected component (if applicable):
sssd-1.5.1

Comment 2 Jakub Hrozek 2011-08-25 12:06:34 UTC

Rich, do you know if these controls need any special treatment or behave the same as the OpenLDAP password controls?

Comment 3 Rich Megginson 2011-08-25 13:26:33 UTC

(In reply to comment #2)
> Rich, do you know if these controls need any special treatment or behave the
> same as the OpenLDAP password controls?

I don't know.  They are pretty simple, so they might work exactly the same way as the OpenLDAP controls.

Comment 5 Stephen Gallagher 2011-08-29 12:38:48 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/984

Comment 7 Joshua Roys 2012-05-10 13:52:59 UTC

Created attachment 583569 [details]
simple implementation of Netscape password warning expiration control

What do you think about this simple implementation?  It doesn't compare the value to any other password control warning value to see, for instance, which is smaller.  Also, if the bv_val happened to not be a null-terminated string, it would return who knows what.  But a quick test against our 389-ds setup has it correctly parsing the Netscape control (as well as the server-side password controls that are returned).  I'll add the .4 control for expired passwords if this is the right direction.

Comment 8 Stephen Gallagher 2012-05-10 16:47:34 UTC

(In reply to comment #7)
> Created attachment 583569 [details]
> simple implementation of Netscape password warning expiration control
> 
> What do you think about this simple implementation?  It doesn't compare the
> value to any other password control warning value to see, for instance, which
> is smaller.  Also, if the bv_val happened to not be a null-terminated string,
> it would return who knows what.  But a quick test against our 389-ds setup has
> it correctly parsing the Netscape control (as well as the server-side password
> controls that are returned).  I'll add the .4 control for expired passwords if
> this is the right direction.

Thanks for the patch! Yes, I think this is probably headed in the right direction. I think you identified the same issues I would have: we need to do a better job of validating the return values, but otherwise this looks pretty good. Please feel free to add the expired passwords.

Comment 10 Joshua Roys 2012-05-14 12:55:26 UTC

Created attachment 584357 [details]
simple implementation of Netscape password warning expiration control

This round adds a strndup/memcpy/atoi/free (along with an initial check of bv_len for suspiciously long values) to carefully get the number of seconds until password expiration out of the control.  Other alternatives might be a custom atoi-like function that took a maximum length parameter like snprintf or a libldap function that I don't know of (I didn't look too hard, to be honest).  The .3.4.4 oid for password expiration is now also handled.
Tests against our 389 server show proper return of the two controls and their handling (although I can't disable the ldap server-side password policy controls on our production servers, so those were also returned with the Netscape ones).
What do you think?  How can the patch be improved?

Comment 11 Stephen Gallagher 2012-05-14 15:08:59 UTC

Created attachment 584385 [details]
simple implementation of Netscape password warning expiration control

(In reply to comment #10)
> Created attachment 584357 [details]
> simple implementation of Netscape password warning expiration control
> 
> This round adds a strndup/memcpy/atoi/free (along with an initial check of
> bv_len for suspiciously long values) to carefully get the number of seconds
> until password expiration out of the control.  Other alternatives might be a
> custom atoi-like function that took a maximum length parameter like snprintf or
> a libldap function that I don't know of (I didn't look too hard, to be honest).
>  The .3.4.4 oid for password expiration is now also handled.
> Tests against our 389 server show proper return of the two controls and their
> handling (although I can't disable the ldap server-side password policy
> controls on our production servers, so those were also returned with the
> Netscape ones).
> What do you think?  How can the patch be improved?

I've made a few changes. Notably: I updated all of the DEBUG messages in that function to use the new macros to be more consistent. I switched your nval conversion to use our custom strtouint32() function instead of atoi(), which is deprecated. (Please let me know if uint32_t is unacceptable here). I switched the creation of nval to use talloc_strndup() which always guarantees NULL-termination (also to stick with our convention of always using TALLOC for memory management in SSSD). I made #defines for the OIDs in a common header.

I've also submitted this revised patch for further upstream review at https://fedorahosted.org/pipermail/sssd-devel/2012-May/009794.html as per our upstream review process (https://fedorahosted.org/sssd/wiki/BugLifecycle)

Comment 12 RHEL Program Management 2012-07-10 06:13:45 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 13 RHEL Program Management 2012-07-11 02:02:52 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 14 Jenny Severance 2012-08-03 15:40:48 UTC


*** This bug has been marked as a duplicate of bug 771412 ***

Comment 15 Joshua Roys 2015-01-21 17:16:03 UTC

Comment on attachment 584385 [details]
simple implementation of Netscape password warning expiration control

Giving this old bug attachment a "+" since a recent bugzilla upgrade has started spamming me weekly about it.

Note You need to log in before you can comment on or make changes to this bug.