#1773 SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.
Closed: Fixed None Opened 8 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=896476 (Red Hat Enterprise Linux 6)

Description of problem:
This issue was observed during the testing of SSSD new feature
pam_pwd_expiration_warning which was set to 3 days in sssd.conf, while keeping
LDAP attributes passwordMaxAge = 3 days and passwordWarning = 2 days. In this
case, when a user logs in 3 days prior to password Max age, user should see a
password expiry warning OR the log files should show warning messages. Both the
log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. So, i am assuming that SSSD is honouring passwordWarning LDAP
attribute which has a lower value than pam_pwd_expiration_warning.

Version-Release number of selected component (if applicable):
SSSD Version: sssd-1.9.2-41.el6.x86_64

How reproducible:

Steps to Reproduce:
1. Add an LDAP user and set the following attributes in LDAP Server:
   passwordMaxAge = 259200 (3 days)
   passwordWarning: 180000 (2.083 days)

2. Add "pam_pwd_expiration_warning = 3" in [pam] section of sssd.conf. See the
conf details below:

    config_file_version = 2
    sbus_timeout = 30
    services = nss, pam
    domains = LDAP

    filter_groups = root
    filter_users = root
    debug_level = 9

    id_provider = ldap
    auth_provider = ldap
    ldap_uri = ldap://$SERVERS
    ldap_tls_cacert = /etc/openldap/certs/cacert.asc
    ldap_search_base = dc=example,dc=com

    debug_level = 9
    pam_pwd_expiration_warning = 3

3. Clear the cache and restart sssd service, if already running.

4. Authenticate the user and verify the /var/log/secure and SSSD_DOMAIN log

Actual results:
Upon login, user is not shown password expiry message. Also, both the log
files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. I am assuming that SSSD is honouring passwordWarning attribute which
has a lower value than pam_pwd_expiration_warning.

Expected results:
SSSD should show warning during user login and the same should be logged in log
files as well.

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
selected: =>
testsupdated: => 0

I would say it is not a bug but rather a feature.

LDAP will tell us that the password is about to expire only when passwordWarning is hit. So if pam_pwd_expiration is greater than passwordWarning, we don't get any echo from LDAP and thus the warning is not printed sooner.

The man page says: "Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning."
Maybe we can clarify this more?

The problem is that we were treating pam_pwd_expiration_warning as seconds, but the value that is read from the configuration is in days.

milestone: NEEDS_TRIAGE => SSSD 1.9.4
priority: major => blocker
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2815

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.