sssd doesn't allow user with expired password to login when PasswordgraceLimit set #4620

sssd-bot · 2020-05-02T13:45:36Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3597

Created at 2017-12-07 17:43:48 by jhrozek
Closed at 2018-07-26 11:31:23 as Fixed
Assigned to fidencio
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1522928

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1522928

Description of problem:

When a users password is expired and passwordGraceLimit is set to 3 , where
user is allowed to login 3 times before passowrd expiry is forced. In earlier
versions of 389-ds-base (i.e 389-ds-base-1.3.7.5-4.el7 and above), password
expired control was not sent and sssd would allow the expired user to attemp
Login till passwordGracelimit is 0

Following Messages are seen in sssd logs


(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_process_result]
(0x2000): Trace: sh[0x562ee6fec900], connected[1], ops[0x562ee70c15f0],
ldap[0x562ee70bf260]
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_BIND]
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done]
(0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done]
(0x1000): Password Policy Response: expire [-1] grace [4] error [No error].
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done]
(0x1000): Password expired. [4] grace logins remaining.
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [simple_bind_done]
(0x0400): Bind result: Success(0), no errmsg set
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [sdap_op_destructor]
(0x2000): Operation 3 finished
(Wed Dec  6 23:35:36 2017) [sssd[be[EXAMPLE.TEST]]] [auth_bind_user_done]
(0x4000): Found ppolicy data, assuming LDAP password policies are active.


After updating to 389-ds to 389-ds-base-1.3.7.5-10.el7 , now expired users with
Grace period sent, 389-ds now sends the password expired control , causing sssd
to not allow the user to login even though the GraceLimit is set and user is
allowed to make certain number of login attempts till GraceLimit expires. (0)

Version-Release number of selected component (if applicable):

sssd-1.16.0-9.el7.x86_64
389-ds-base-1.3.7.5-10.el7


How reproducible:


Steps to Reproduce:
1.Configure sssd to authenticate to ldap server
[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam, ifp

[domain/EXAMPLE.TEST]
enumerate = false
id_provider = ldap
ldap_uri = ldap://vm-idm-033.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = ldap

[nss]
debug_level = 9

[pam]
debug_level = 9
offline_credentials_expiration = 0



2. Create a foo1 user on 389-ds

3. Set password policy with passwordMaxAge=1, passwordExp=on, and
passwordGracelimit=3

4. Login as foo1 user ,

Actual results:

user will be prompted to immediately change password
[root@vm-idm-033 ~]# ssh -o StrictHostKeyChecking=no -l foo1 localhost
foo1@localhost's password:
Password expired. Change your password now.
Last login: Wed Dec  6 22:02:57 2017 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user foo1.
Current Password:


Expected results:

User should not be prompted for password change till gracelimit doesn't expire
(or becomes 0).



Additional info: