Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=896476 (Red Hat Enterprise Linux 6)
Description of problem:
This issue was observed during the testing of SSSD new feature
pam_pwd_expiration_warning which was set to 3 days in sssd.conf, while keeping
LDAP attributes passwordMaxAge = 3 days and passwordWarning = 2 days. In this
case, when a user logs in 3 days prior to password Max age, user should see a
password expiry warning OR the log files should show warning messages. Both the
log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. So, i am assuming that SSSD is honouring passwordWarning LDAP
attribute which has a lower value than pam_pwd_expiration_warning.
Version-Release number of selected component (if applicable):
SSSD Version: sssd-1.9.2-41.el6.x86_64
Steps to Reproduce:
1. Add an LDAP user and set the following attributes in LDAP Server:
passwordMaxAge = 259200 (3 days)
passwordWarning: 180000 (2.083 days)
2. Add "pam_pwd_expiration_warning = 3" in [pam] section of sssd.conf. See the
conf details below:
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP
filter_groups = root
filter_users = root
debug_level = 9
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://$SERVERS
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com
debug_level = 9
pam_pwd_expiration_warning = 3
3. Clear the cache and restart sssd service, if already running.
4. Authenticate the user and verify the /var/log/secure and SSSD_DOMAIN log
Upon login, user is not shown password expiry message. Also, both the log
files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. I am assuming that SSSD is honouring passwordWarning attribute which
has a lower value than pam_pwd_expiration_warning.
SSSD should show warning during user login and the same should be logged in log
files as well.
design_review: => 0
owner: somebody => jhrozek
testsupdated: => 0
I would say it is not a bug but rather a feature.
LDAP will tell us that the password is about to expire only when passwordWarning is hit. So if pam_pwd_expiration is greater than passwordWarning, we don't get any echo from LDAP and thus the warning is not printed sooner.
The man page says: "Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning."
Maybe we can clarify this more?
The problem is that we were treating pam_pwd_expiration_warning as seconds, but the value that is read from the configuration is in days.
milestone: NEEDS_TRIAGE => SSSD 1.9.4
priority: major => blocker
status: new => assigned
patch: 0 => 1
resolution: => fixed
status: assigned => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4
to comment on this ticket.