-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
changing password with ldap_password_policy = shadow does not take effect immediately #6477
Labels
Comments
pbrezina
added a commit
to pbrezina/sssd
that referenced
this issue
Dec 8, 2022
Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477
alexey-tikhonov
pushed a commit
that referenced
this issue
Dec 16, 2022
Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: #6477 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 7e8b97c)
etrunko
pushed a commit
to etrunko/sssd
that referenced
this issue
Oct 11, 2023
Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 7e8b97c)
etrunko
pushed a commit
to etrunko/sssd
that referenced
this issue
Oct 11, 2023
Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: SSSD#6477 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 7e8b97c)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a bug in new feature implemented in https://bugzilla.redhat.com/show_bug.cgi?id=1507035
It does not show itself during manual testing, only during automation when there are two consecutive ssh login attempts.
First ssh login says the password is expired, the password is correctly changed.
The seconds login attempt however does not refresh the user record because it happened sooner then pam_id_timeout (default 5 seconds) and therefore sssd thinks that the user's password is still expired.
The successful password change should also update shadowLastUpdate in cache.
The bug can be reproduced with the new test framework: https://github.com/pbrezina/sssd-tests-poc
The test is:
@pytest.mark.topology(KnownTopology.LDAP)
def test_shadow(client: Client, ldap: LDAP):
ldap.aci.add('(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)')
ldap.user('shadowuser1').add(
shadowMin=0, shadowMax=99999, shadowWarning=7, shadowLastChange=0,
password='Secret123'
)
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2144893
The text was updated successfully, but these errors were encountered: