SSSD / sssd

Clone

#1999 shadowLastChange updates even when PAM reports password change failed
Closed: Fixed None Opened 10 years ago by jimjcollins.

Closed: Fixed
Reopen Issue

Description:

ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange
even when the PAM password change status reports failure.

We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.

How reproducible:

  1. Enforce ppolicy on OpenLDAP server.
  2. Enable "ldap_chpass_update_last_change" in sssd.conf and restart.
  3. Attempt to change password, using new password which fails to meet ppolicy requirements (e.g. previously used password which is present in password history)

Actual results:

password change fails but shadowLastChange for user entry is updated anyway

User POV:
[jcvm20:~]$ passwd
Changing password for user jcollins.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Password is in history of old passwords
passwd: all authentication tokens updated successfully

0300-shadowLastChange-updates-on-failure.patch
0300-shadowLastChange-updates-on-failure.patch

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.1

Fixed by:
- 1e7275d (master)
- 5fe91dc (sssd-1-10)

changelog: => Due to a bug in the way we processed password-change events, it was possible for a user to reset the shadowLastChange attribute in LDAP without actually having changed their password successfully. With this patch, SSSD will properly detect the success or failure of the password-change operation before updating the shadowLastChange attribute.
component: SSSD => LDAP Provider
resolution: => fixed
status: new => closed

Metadata Update from @jimjcollins:
- Issue set to the milestone: SSSD 1.10.1
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3041

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
None
major
defect
LDAP Provider
1.9.5
None
0
1
https://bugzilla.redhat.com/show_bug.cgi?id=979054
0
0
Due to a bug in the way we processed password-change events, it was possible for a user to reset the shadowLastChange attribute in LDAP without actually having changed their password successfully. With this patch, SSSD will properly detect the success or failure of the password-change operation before updating the shadowLastChange attribute.
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.