Univention Bugzilla – Bug 47595
Value of "passwordexpiry" is reset by the s4-connector
Last modified: 2019-03-16 22:02:53 CET
A customer reported, if a school-admin resets the password of a teacher the flag 'pwdMustChangeNextLogin' is reset by the s4-connector immediately. The flag 'pwdMustChangeNextLogin' is set by default. univention-app info UCS: 4.3-1 errata126 Installed: cups=2.2.1 dhcp-server=12.0 kvm=2.8 samba4=4.7 squid=3.5 ucsschool=4.3 v4 uvmm=7.0 ii univention-s4-connector 12.0.2-23A~4.3.0.201808071734 The s4-connector logfile with debug level 4 can be found at the ticket 2018081021000484
Further debugging has shown that this is primarily a display problem. The user's password has expired effectively, but the UDM property "passwordexpiry" returns "None". The appendix contains all LDAP changes of uid=m.mouse from 2018-08-10 of the customer. The first two changes are triggered by the UMC module "Passwörter (Lehrer)". The schooladmin h.simpson sets the password of m.mouse to a user-defined value and the UDM property pwdChangeNextLogin is set to 1. This change is performed in two distinct LDAP changes because of Bug 46067. You can see that the S4-Connector/UDM changes the LDAP attributes relevant for the password process to an equivalent when the user object is changed (the third change in the log): Old values: shadowLastChange: 17751 shadowMax: 1 krb5PasswordEnd: 20180810000000Z New values: shadowLastChange: 0 sambaPwdMustChange: 0 In unmapPasswordExpiry() in users/user.py shadowLastChange != 0 and shadowMax != 0 are checked to show a password expiration date. The UDM property "passwordexpiry" is used in the UMC module "Passwords (Teachers)" to indicate when the password must be changed. It was expected that the value "Now" would be displayed in the column. However, "Never" is still returned because "passwordexpiry" is set to "None". I have currently no idea if this is a problem in UDM oder S4-Connector.
Created attachment 9628 [details] directory logger logfile Additional note: whether the S4-Connector makes its "third" change in LDAP depends, among other things, on whether the same password is reused and whether the password had already expired before the change.
The UDM/S4 behaviour breaks a new, long requested UCS@school feature: the UCS@school password reset module shows "never" for the number of days left until the password has to be changed (instead of "now").
(In reply to Sönke Schwardt-Krummrich from comment #3) > The UDM/S4 behaviour breaks a new, long requested UCS@school feature: > the UCS@school password reset module shows "never" for the number of days > left until the password has to be changed (instead of "now"). This happened in an other school environment. This is very confusing for the customer.
I also fixed Bug #45282 because it touches the same code paths. The first commit also fixes Bug #47508: 1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and don't reset shadowLastChange to 0 6373405003 | Refactor to improve log message for newpwdlastset 7ccc957a0c | Bug #47595 & Bug #45282: Changelog 900d47fc2d | Merge branch 'arequate/bug47595' into 4.3-2 83a2f0a248 | Bug #45282 & Bug #47595: Advisory
Note: I had to revise my commit for Bug 47508 (see Bug 47508 Comment 6): 24fc6d4923 | Don't remove krb5PasswordEnd
works, the connector set shadowMax=1 for "pwd change on next login" otherwise to the policy value or None OK - s4 connector test OK - ucsschool Passwords module OK - password change via UCS OK - password change via Samba OK - YAML
<http://errata.software-univention.de/ucs/4.3/237.html>