Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=896476 (Red Hat Enterprise Linux 6)
Description of problem:
This issue was observed during the testing of SSSD new feature
pam_pwd_expiration_warning which was set to 3 days in sssd.conf, while keeping
LDAP attributes passwordMaxAge = 3 days and passwordWarning = 2 days. In this
case, when a user logs in 3 days prior to password Max age, user should see a
password expiry warning OR the log files should show warning messages. Both the
log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. So, i am assuming that SSSD is honouring passwordWarning LDAP
attribute which has a lower value than pam_pwd_expiration_warning.
Version-Release number of selected component (if applicable):
SSSD Version: sssd-1.9.2-41.el6.x86_64
Steps to Reproduce:
1. Add an LDAP user and set the following attributes in LDAP Server:
passwordMaxAge = 259200 (3 days)
passwordWarning: 180000 (2.083 days)
2. Add "pam_pwd_expiration_warning = 3" in [pam] section of sssd.conf. See the
conf details below:
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP
filter_groups = root
filter_users = root
debug_level = 9
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://$SERVERS
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
ldap_search_base = dc=example,dc=com
debug_level = 9
pam_pwd_expiration_warning = 3
3. Clear the cache and restart sssd service, if already running.
4. Authenticate the user and verify the /var/log/secure and SSSD_DOMAIN log
Upon login, user is not shown password expiry message. Also, both the log
files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning
message. I am assuming that SSSD is honouring passwordWarning attribute which
has a lower value than pam_pwd_expiration_warning.
SSSD should show warning during user login and the same should be logged in log
files as well.
design_review: => 0
owner: somebody => jhrozek
testsupdated: => 0
I would say it is not a bug but rather a feature.
LDAP will tell us that the password is about to expire only when passwordWarning is hit. So if pam_pwd_expiration is greater than passwordWarning, we don't get any echo from LDAP and thus the warning is not printed sooner.
The man page says: "Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning."
Maybe we can clarify this more?
The problem is that we were treating pam_pwd_expiration_warning as seconds, but the value that is read from the configuration is in days.
milestone: NEEDS_TRIAGE => SSSD 1.9.4
priority: major => blocker
status: new => assigned
patch: 0 => 1
resolution: => fixed
status: assigned => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.