#1773 SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=896476 (Red Hat Enterprise Linux 6)

Description of problem:
This issue was observed during the testing of SSSD new feature
pam_pwd_expiration_warning which was set to 3 days in sssd.conf, while keeping
LDAP attributes passwordMaxAge = 3 days and passwordWarning = 2 days. In this
case, when a user logs in 3 days prior to password Max age, user should see a
password expiry warning OR the log files should show warning messages. Both the
log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. So, i am assuming that SSSD is honouring passwordWarning LDAP
attribute which has a lower value than pam_pwd_expiration_warning.

Version-Release number of selected component (if applicable):
SSSD Version: sssd-1.9.2-41.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add an LDAP user and set the following attributes in LDAP Server:
   passwordMaxAge = 259200 (3 days)
   passwordWarning: 180000 (2.083 days)

2. Add "pam_pwd_expiration_warning = 3" in [pam] section of sssd.conf. See the
conf details below:

    [sssd]
    config_file_version = 2
    sbus_timeout = 30
    services = nss, pam
    domains = LDAP

    [nss]
    filter_groups = root
    filter_users = root
    debug_level = 9

    [domain/LDAP]
    debug_level=9
    id_provider = ldap
    auth_provider = ldap
    ldap_uri = ldap://$SERVERS
    ldap_tls_cacert = /etc/openldap/certs/cacert.asc
    ldap_search_base = dc=example,dc=com

    [pam]
    debug_level = 9
    pam_pwd_expiration_warning = 3

3. Clear the cache and restart sssd service, if already running.

4. Authenticate the user and verify the /var/log/secure and SSSD_DOMAIN log
files.

Actual results:
Upon login, user is not shown password expiry message. Also, both the log
files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. I am assuming that SSSD is honouring passwordWarning attribute which
has a lower value than pam_pwd_expiration_warning.

Expected results:
SSSD should show warning during user login and the same should be logged in log
files as well.

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
selected: =>
testsupdated: => 0

I would say it is not a bug but rather a feature.

LDAP will tell us that the password is about to expire only when passwordWarning is hit. So if pam_pwd_expiration is greater than passwordWarning, we don't get any echo from LDAP and thus the warning is not printed sooner.

The man page says: "Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning."
Maybe we can clarify this more?

The problem is that we were treating pam_pwd_expiration_warning as seconds, but the value that is read from the configuration is in days.

milestone: NEEDS_TRIAGE => SSSD 1.9.4
priority: major => blocker
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata