The nightly test test_user.py::test_user::test_password_expiration_notification is failing, see PR #1917 with the following logs and report.
test_user.py::test_user::test_password_expiration_notification
Test scenario (all the steps are done using the Gui):
<img alt="reset_pwd.png" src="/freeipa/issue/raw/files/32fe11fd6fc4762280d47765797159e32cb46328b99e9fe304c7e869f302b4f8-reset_pwd.png" />
The user should be able to login but the reset pwd operation fails:
<img alt="invalid_pwd.png" src="/freeipa/issue/raw/files/6aba9d039212648306635be23f7f2b815ff86920e24a74fe037ce4019b31eb4f-invalid_pwd.png" />
The expected result would be a successful reset + successful login + a notification of close password expiration in the top right corner of the browser:
<img alt="notification.png" src="/freeipa/issue/raw/files/1ef2fcdf52f1c5c3fe546140435bed7d0d0ab7cc2230239e0ddca5a7b90681f1-notification.png" />
The defaults are tricky
For grace -1 means disabled and this is the default in the global policy. 0 means no grace logins are allowed.
A group policy defaults to being empty. Empty values are treated as 0.
So a new group policy will not allow grace logins.
group policies have never inherited values from the global policy.
Maybe in this case it should. I could argue both ways though.
Metadata Update from @rcritten: - Issue assigned to rcritten
Using Carla's PR https://github.com/freeipa/freeipa/pull/6388 which adds gracelimit to the UI I updated the group policy to set grace to -1 and now the test user login succeeds.
Metadata Update from @frenaud: - Issue tagged with: webui
The decision is to set all group policies to match the global policy on creation.
Any existing group policy with no grace policy set will get the global policy during upgrades.
PR https://github.com/freeipa/freeipa/pull/6397
Metadata Update from @rcritten: - Issue untagged with: webui
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2115475 https://bugzilla.redhat.com/show_bug.cgi?id=2115495
Reproducible in testing_master_latest PR 1927 Report
testing_master_latest
Reproducible in testing_master_latest PR 1937Report
We identified 4 possible solutions:
Option A: When creating new pwpolicy use the global pwpolicy value. Also on upgrades if no gracelimit is set, use global policy value.
Option B: -1 for new policies, ignoring “global_policy”. If grace is not already set, set existing group policies to -1 on upgrade
Option C: switch meaning of “-1” and “0” (?) to “-1 (no bind allowed)” “0 (unlimited)”
Option D: Different default? 5? ….
The team has chosen option B.
master:
ipa-4-9:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.