Red Hat Bugzilla – Bug 979054
shadowLastChange updates even when PAM reports password change failed
Last modified: 2014-07-09 06:03:37 EDT
This bug is created as a clone of upstream ticket:
ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange
even when the PAM password change status reports failure.
We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.
1. Enforce ppolicy on OpenLDAP server.
2. Enable "ldap_chpass_update_last_change" in sssd.conf and restart.
3. Attempt to change password, using new password which fails to meet ppolicy requirements (e.g. previously used password which is present in password history)
password change fails but shadowLastChange for user entry is updated anyway
Changing password for user jcollins.
Retype new password:
Password change failed. Server message: Password is in history of old passwords
passwd: all authentication tokens updated successfully
Fixed upstream in the 1-10 branch.
Temporarily moving bugs to MODIFIED to work around errata tool bug
Verified the bug on SSSD Version: sssd-1.11.2-40.el7.x86_64
Steps followed during verification:
1. Setup ppolicy in Openldap server with an attribute say, pwdInHistory: 3
2. Try changing a ldap user's password by providing previously used passwords from history. Password change should fail with following message:
[tuuser2@rhel-7 ~]$ passwd
Changing password for user tuuser2.
Retype new password:
Password change failed. Server message: Please make sure the password meets the complexity constraints.
passwd: Authentication token is no longer valid; new one required
3. Verify the user attribute shadowLastChange, before and after attempting the passowrd change. shadowLastChange value should stay unchanged.
See an example of user attributes below:
[root@rhel-7 ~]# ldapsearch -xv -h ibm-dx360m4-02.rhts.eng.bos.redhat.com -D "cn=Manager,dc=example,dc=com" -b "uid=tuuser2,dc=example,dc=com" -w Secret123
ldap_initialize( ldap://ibm-dx360m4-02.rhts.eng.bos.redhat.com )
requesting: All userApplication attributes
# extended LDIF
# base <uid=tuuser2,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# tuuser2, example.com
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.