#48193 Passsword about to expire warning not being sent
Closed: wontfix None Opened 8 years ago by lunatickevin.

Steps to reproduce
1) Create password policy for the subtree in which the user resides.
2) Set passwordExp "on" , passwordMaxAge to 3 days and passwordWarning to 3 days.
3) Save the password policy
4) Reset user's password
5) Try to login with the user after password reset on the same day

Expected output:
User should successfully login and get a warning that password is about to expire

Actual output
User successfully logs in but does not recieve any warning.

Please check the attached image of password policy


What ldap client are you using?

This works for me using mozldap's ldapsearch, but not openldap's ldapsearch:

/usr/lib64/mozldap/ldapsearch -D "uid=mark,dc=example,dc=com" -w password -b "dc=example,dc=com" uid=mark passwordexpwarned

ldapsearch: Password will expire in 82450 seconds
ldapsearch: Warning ! Your password will expire after 22 hrs, 54 mins, 10 seconds.
version: 1
dn: uid=mark,dc=example,dc=com
passwordexpwarned: 1

We are using UnboundID JAVA SDK https://www.ldap.com/unboundid-ldap-sdk-for-java. Unbound ID is compatible with LDAPv3-compliant directory server which essentialy means openldap standard
@rmeggins @mreynolds these password variables are part of openldap standard. Will this be fixed for open ldap standard ?

Replying to [comment:3 lunatickevin]:

We are using UnboundID JAVA SDK https://www.ldap.com/unboundid-ldap-sdk-for-java. Unbound ID is compatible with LDAPv3-compliant directory server which essentialy means openldap standard
@rmeggins @mreynolds these password variables are part of openldap standard. Will this be fixed for open ldap standard ?

I think the problem is that openldap does not add the password policy control by default, and mozldap does. You'll have to investigate how to make your client send the password policy control, and read the response correctly.

At any rate, this is not a 389 issue.

via IRC conversation:

Here is an example of detecting an expiring password, and returning the number of seconds remaining until it expires (returns 0 if not expiring within the pw grace time).

{{{
public static int timeToExpire( LDAPConnection ld ) {
LDAPControl[] controls = ld.getResponseControls();

if ( (controls && (controls.length > 0) ) {
    LDAPPasswordExpiringControl expiringCtl = null;

    for ( int i = 0; i < controls.length; i++ ) {
        if ( controls[i] instanceof LDAPPasswordExpiringControl ) {
            expiringCtl = (LDAPPasswordExpiringControl)controls[i];
                        break;
        }
            }
}
if ( expiringCtl ) {
            try {
        return expiringCtl.getSecondsToExpiration();
    } catch ( NumberFormatException e ) {
        System.err.println( "Bad control" );
    }
}
return 0;

}
}}}

I still don't see why this is an issue with 389?

There is not a problem with 389. The code above is just an example of a way to detect the Password Expiring Control that 389 sends back to the client.

Metadata Update from @mreynolds:
- Issue set to the milestone: N/A

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1524

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata
Attachments 1
Attached 8 years ago View Comment