Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1024744
Description of problem: Improve grace login warning against OpenLDAP server Version-Release number of selected component (if applicable): 1.9.2-129 How reproducible: Always Steps to Reproduce: 1. On openldap server, set pwdGraceAuthNLimit to 2 2. Try to auth from another sssd client 1st Attempt: # ssh -l tuuser localhost tuuser@localhost's password: Your password has expired. You have 2 grace login(s) remaining. Last login: Thu Oct 10 14:53:33 2013 from localhost -bash-4.1$ logout 2nd Attempt: # ssh -l tuuser localhost tuuser@localhost's password: Your password has expired. You have 1 grace login(s) remaining. Last login: Thu Oct 10 15:01:01 2013 from localhost -bash-4.1$ logout 3rd Attempt: # ssh -l tuuser localhost tuuser@localhost's password: Password expired. Change your password now. <== Should have shown 0 grace login Last login: Thu Oct 10 15:01:16 2013 from localhost WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuuser. Current Password: Actual results: 3rd attempt shows password expired. Expected results: 3rd attempt against 389-ds server shows 0 grace login remains. There should be consistency against openldap server too. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.13 beta review: True => 0 selected: => testsupdated: => 0
mark: => 0
owner: somebody => preichl
milestone: SSSD 1.13 beta => SSSD 1.13 backlog priority: major => trivial
Mass-moving tickets not planned for any immediate release and re-setting priority.
milestone: SSSD 1.13 backlog => SSSD Deferred priority: trivial => major
The OpenLDAP server and the 389 Directory Server (389 DS) treat grace logins differently. 389 DS treats them as the number of grace logins left, while OpenLDAP treats them as the number of grace logins used. Currently, SSSD only handles the semantics used by 389 DS. As a result, when using OpenLDAP, the grace password warning can be incorrect.
sensitive: => 0
Metadata Update from @jhrozek: - Issue assigned to preichl - Issue set to the milestone: SSSD Patches welcome
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3178
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.