Learn more about these different git repos.
Other Git URLs
Description:
ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange even when the PAM password change status reports failure.
We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.
How reproducible:
Actual results:
password change fails but shadowLastChange for user entry is updated anyway
User POV: [jcvm20:~]$ passwd Changing password for user jcollins. Current Password: New password: Retype new password: Password change failed. Server message: Password is in history of old passwords passwd: all authentication tokens updated successfully
0300-shadowLastChange-updates-on-failure.patch 0300-shadowLastChange-updates-on-failure.patch
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10.1
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=979054
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=979054 979054]
Fixed by: - 1e7275d (master) - 5fe91dc (sssd-1-10)
changelog: => Due to a bug in the way we processed password-change events, it was possible for a user to reset the shadowLastChange attribute in LDAP without actually having changed their password successfully. With this patch, SSSD will properly detect the success or failure of the password-change operation before updating the shadowLastChange attribute. component: SSSD => LDAP Provider resolution: => fixed status: new => closed
Metadata Update from @jimjcollins: - Issue set to the milestone: SSSD 1.10.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3041
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.