Univention Bugzilla – Bug 47802
Uncheck "User has to change password on next login" removes shadowMax (although there is a global pw policy)
Last modified: 2021-05-03 21:48:26 CEST
I have a user with shadowMax: 40 shadowLastChange: 17745 sambaPwdLastSet: 0 krb5PasswordEnd: 20180912000000Z shadowMax 40 comes from the default pw policy DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=four,dc=three expiryInterval: 40 ldapFilter: None length: 3 name: default-settings pwLength: 8 pwQualityCheck: None Now i set "User has to change password on next login" and save, then uncheck "User has to change password on next login" again and shadowMax is now gone. There is no password expiry for this user now. This seems to be an issue in usres/user _modlist_password_expiry(). We should set the shadowMax to the value of pwhistoryPolicy.expiryInterval if existing or '' I also do not understand if not pwhistoryPolicy.expiryInterval and not self.hasChanged('pwdChangeNextLogin'): # An empty field means that password aging features are disabled. shadowLastChange = '' Why would we ever need to unset shadowLastChange?
(In reply to Felix Botner from comment #0) > I also do not understand > > if not pwhistoryPolicy.expiryInterval and not > self.hasChanged('pwdChangeNextLogin'): > # An empty field means that password aging features are disabled. > shadowLastChange = '' > > Why would we ever need to unset shadowLastChange? The code exists for if the expiryInterval was removed/set to 0. Then the value must be unset. If you have such a policy "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=four,dc=three" with "expiryInterval: 40" then: "not pwhistoryPolicy.expiryInterval" would not be true because expiryInterval would contain "40". So the behavior of that line is correct. Do you agree? It would probably be nice to have a test case for all possible combinations. See also Bug #46067.