changing password with ldap_password_policy = shadow does not take effect immediately #6477

pbrezina · 2022-12-08T14:13:56Z

This is a bug in new feature implemented in https://bugzilla.redhat.com/show_bug.cgi?id=1507035

It does not show itself during manual testing, only during automation when there are two consecutive ssh login attempts.

First ssh login says the password is expired, the password is correctly changed.

The seconds login attempt however does not refresh the user record because it happened sooner then pam_id_timeout (default 5 seconds) and therefore sssd thinks that the user's password is still expired.

The successful password change should also update shadowLastUpdate in cache.

The bug can be reproduced with the new test framework: https://github.com/pbrezina/sssd-tests-poc
The test is:

@pytest.mark.topology(KnownTopology.LDAP)
def test_shadow(client: Client, ldap: LDAP):
ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)')
ldap.user('shadowuser1').add(
shadowMin=0, shadowMax=99999, shadowWarning=7, shadowLastChange=0,
password='Secret123'
)

# Disabling pam_id_timeout makes the test pass
# client.sssd.pam['pam_id_timeout'] = '0'
client.sssd.domain['ldap_pwd_policy'] = 'shadow'
client.sssd.domain['ldap_chpass_update_last_change'] = 'True'
client.sssd.start()

assert client.auth.ssh.password_expired('shadowuser1', 'Secret123', 'Redhat@321')
assert client.auth.ssh.password('shadowuser1', 'Redhat@321')

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2144893

The text was updated successfully, but these errors were encountered:

Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477

Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: #6477 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 7e8b97c)

alexey-tikhonov · 2022-12-16T11:11:09Z

Pushed PR: #6478

master
- 7e8b97c - ldap: update shadow last change in sysdb as well
sssd-2-8
- d7da296 - ldap: update shadow last change in sysdb as well

Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 7e8b97c)

pbrezina added the Bugzilla label Dec 8, 2022

pbrezina self-assigned this Dec 8, 2022

pbrezina mentioned this issue Dec 8, 2022

ldap: update shadow last change in sysdb as well #6478

Closed

alexey-tikhonov closed this as completed in 7e8b97c Dec 16, 2022

alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Dec 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

changing password with ldap_password_policy = shadow does not take effect immediately #6477

changing password with ldap_password_policy = shadow does not take effect immediately #6477

pbrezina commented Dec 8, 2022

alexey-tikhonov commented Dec 16, 2022

changing password with ldap_password_policy = shadow does not take effect immediately #6477

changing password with ldap_password_policy = shadow does not take effect immediately #6477

Comments

pbrezina commented Dec 8, 2022

alexey-tikhonov commented Dec 16, 2022