Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=896476 (Red Hat Enterprise Linux 6)
Description of problem: This issue was observed during the testing of SSSD new feature pam_pwd_expiration_warning which was set to 3 days in sssd.conf, while keeping LDAP attributes passwordMaxAge = 3 days and passwordWarning = 2 days. In this case, when a user logs in 3 days prior to password Max age, user should see a password expiry warning OR the log files should show warning messages. Both the log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning message. So, i am assuming that SSSD is honouring passwordWarning LDAP attribute which has a lower value than pam_pwd_expiration_warning. Version-Release number of selected component (if applicable): SSSD Version: sssd-1.9.2-41.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Add an LDAP user and set the following attributes in LDAP Server: passwordMaxAge = 259200 (3 days) passwordWarning: 180000 (2.083 days) 2. Add "pam_pwd_expiration_warning = 3" in [pam] section of sssd.conf. See the conf details below: [sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root debug_level = 9 [domain/LDAP] debug_level=9 id_provider = ldap auth_provider = ldap ldap_uri = ldap://$SERVERS ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com [pam] debug_level = 9 pam_pwd_expiration_warning = 3 3. Clear the cache and restart sssd service, if already running. 4. Authenticate the user and verify the /var/log/secure and SSSD_DOMAIN log files. Actual results: Upon login, user is not shown password expiry message. Also, both the log files, ie /var/log/secure and SSSD_Domain log file doesn't show any warning message. I am assuming that SSSD is honouring passwordWarning attribute which has a lower value than pam_pwd_expiration_warning. Expected results: SSSD should show warning during user login and the same should be logged in log files as well. Additional info:
Fields changed
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => jhrozek selected: => testsupdated: => 0
I would say it is not a bug but rather a feature.
LDAP will tell us that the password is about to expire only when passwordWarning is hit. So if pam_pwd_expiration is greater than passwordWarning, we don't get any echo from LDAP and thus the warning is not printed sooner.
The man page says: "Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning." Maybe we can clarify this more?
The problem is that we were treating pam_pwd_expiration_warning as seconds, but the value that is read from the configuration is in days.
milestone: NEEDS_TRIAGE => SSSD 1.9.4 priority: major => blocker status: new => assigned
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.9.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2815
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.