737157 – "System error" appears in log during change password operation of a user in openldap server with ppolicy enabled.

Bug 737157 - "System error" appears in log during change password operation of a user in openldap server with ppolicy enabled.

Summary: "System error" appears in log during change password operation of a user in o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	743047 748869
TreeView+	depends on / blocked

Reported:	2011-09-09 19:04 UTC by Kaushik Banerjee
Modified:	2020-05-04 10:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.5.1-51.el6
Doc Type:	Bug Fix
Doc Text:	Cause: There was no specific error code implemented for situation where user changed his password, but password policy constraints were violated. Consequence: Very generic and thus not understandable error messages were printed when this error occurred. Fix: A specific error code for LDAP password constraint violation has been implemented. Result: Error messages are now clearly stating what happened
Clone Of:
Clones:	748869 (view as bug list)
Environment:
Last Closed:	2011-12-06 16:39:59 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2027	0	None	closed	Improve error messages returning (3, 4, <NULL>) [Internal Error (System error)]	2020-05-04 10:22:35 UTC
Red Hat Product Errata	RHBA-2011:1529	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2011-12-06 00:50:20 UTC

Description Kaushik Banerjee 2011-09-09 19:04:43 UTC

Description of problem:
Error messages (3, 4, <NULL>) [Internal Error (System error)] are seen during change password operation of a user in openldap server with ppolicy enabled.

Version-Release number of selected component (if applicable):
sssd-1.5.1-49.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. Try to change password of a user in openldap server with ppolicy set("pwdInHistory: 6" and use the password used within the last 6 times):

2. # ssh -l ppuser1 localhost
ppuser1@localhost's password: 
Your password has expired. You have 3 grace login(s) remaining.
Last login: Tue Aug 30 15:33:40 2011 from localhost
Could not chdir to home directory /home/ppuser1: No such file or directory
id: cannot find name for group ID 564675
-sh-4.1$ passwd
Changing password for user ppuser1.
Current Password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error
-sh-4.1$ 

  
Actual results:
Password change fails as expected, but logs show:

<snip>
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [simple_bind_done] (9): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [simple_bind_done] (7): Password Policy Response: expire [-1] grace [1] error [No error].
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [simple_bind_done] (4): Password expired. [1] grace logins remaining.
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [auth_bind_user_done] (9): Found ppolicy data, assuming LDAP password policies are active.
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_auth4chpass_done] (7): user [uid=ppuser1,dc=example,dc=com] successfully authenticated.
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_control_create] (3): Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_exop_modify_passwd_send] (4): Executing extended operation
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_exop_modify_passwd_send] (8): ldap_extended_operation sent, msgid = 3
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xccb740], connected[1], ops[0xd74510], ldap[0xd85030]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing!
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xccb740], connected[1], ops[0xd74510], ldap[0xd85030]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_exop_modify_passwd_done] (5): Server returned no controls.
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_exop_modify_passwd_done] (3): ldap_extended_operation result: Constraint violation(19), Password is in history of old passwords
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [4][LDAP]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [4][LDAP]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0xccb740], connected[1], ops[(nil)], ldap[0xd85030], destructor_lock[0], release_memory[0]
(Wed Aug 31 07:55:42 2011) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.

</snip>

Expected results:
Improve error messages returning (3, 4, <NULL>) [Internal Error (System error)]

Additional info:

Comment 5 Kaushik Banerjee 2011-09-15 17:14:13 UTC

Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 12 Sep 2011 06:55:14 PM IST
Install Date: Tue 13 Sep 2011 08:02:21 PM IST      Build Host: x86-001.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-51.el6.src.rpm
Size        : 3670464                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 6 Jan Zeleny 2011-10-27 12:07:42 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: There was no specific error code implemented for situation where user changed his password, but password policy constraints were violated.
Consequence: Very generic and thus not understandable error messages were printed when this error occurred.
Fix: A specific error code for LDAP password constraint violation has been implemented.
Result: Error messages are now clearly stating what happened

Comment 7 errata-xmlrpc 2011-12-06 16:39:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.