commit 2d94a794e321e628670cc94ba71be2d1dad9c28b
Author: Florian Best <best@univention.de>
Date:   Tue Dec 19 12:30:09 2017 +0100

    Bug #45842: simplify shadowLastChange behavior by setting 0 if password should be changed on next login

diff --git a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
index 523bea6..7899128 100644
--- a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
+++ b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
@@ -2030,29 +2030,31 @@ def _modlist_password_change(self, ml):
 		pwd_change_next_login = self.hasChanged('pwdChangeNextLogin') and self['pwdChangeNextLogin'] == '1'
 		unset_pwd_change_next_login = self.hasChanged('pwdChangeNextLogin') and self['pwdChangeNextLogin'] == '0'
 
+		old_shadow_last_change = self.oldattr.get('shadowLastChange', [''])[0]
+		old_shadow_max = self.oldattr.get('shadowMax', [''])[0]
+		shadow_last_change = old_shadow_last_change
+		shadow_max = old_shadow_max
+
 		if pwd_change_next_login:
-			# force user to change password on next login
-			shadowMax = "1"
-		elif not pwhistoryPolicy.expiryInterval or unset_pwd_change_next_login:
-			# 1. no pw expiry interval is defined or
-			# 2. remove that user has to change password on next login
-			shadowMax = ''
+			shadow_last_change = '0'
+		elif modifypassword or (unset_pwd_change_next_login and old_shadow_last_change == '0') or (pwhistoryPolicy.expiryInterval and not old_shadow_last_change):
+			# 1. The password was changed
+			# 2. User doesn't need to change password on next login anymore
+			# 3. a password history policy exists but no last password change date
+			shadow_last_change = str(int(long(time.time()) / 3600 / 24))
+
+		if pwhistoryPolicy.expiryInterval:
+			# a password history policy exists
+			shadow_max = pwhistoryPolicy.expiryInterval
 		else:
-			shadowMax = pwhistoryPolicy.expiryInterval
-
-		old_shadowMax = self.oldattr.get('shadowMax', [''])[0]
-		if old_shadowMax != shadowMax:
-			ml.append(('shadowMax', old_shadowMax, shadowMax))
+			# no password history policy exists anymore (could be removed)
+			shadow_max = ''
 
-		now = (long(time.time()) / 3600 / 24)
-		shadowLastChange = ''
-		if pwhistoryPolicy.expiryInterval or unset_pwd_change_next_login:
-			shadowLastChange = str(int(now))
-		if pwd_change_next_login:
-			shadowLastChange = str(int(now) - int(shadowMax) - 1)
+		if old_shadow_last_change != shadow_last_change:
+			ml.append(('shadowLastChange', old_shadow_last_change, shadow_last_change))
 
-		if shadowLastChange:  # FIXME: this check causes, that the value is not unset. Is this correct?
-			ml.append(('shadowLastChange', self.oldattr.get('shadowLastChange', [''])[0], shadowLastChange))
+		if old_shadow_max != shadow_max:
+			ml.append(('shadowMax', old_shadow_max, shadow_max))
 
 		# if pwdChangeNextLogin has been set, set sambaPwdLastSet to 0 (see UCS Bug #17890)
 		# OLD behavior was: set sambaPwdLastSet to 1 (see UCS Bug #8292 and Samba Bug #4313)