Bug 47595 - Value of "passwordexpiry" is reset by the s4-connector
Value of "passwordexpiry" is reset by the s4-connector
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
Depends on: 36317
Blocks: 47518
  Show dependency treegraph
Reported: 2018-08-16 11:58 CEST by Christina Scheinig
Modified: 2019-03-16 22:02 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Ticket number: 2018081021000484, 2018082221000489
Bug group (optional): Usability
Max CVSS v3 score:

directory logger logfile (3.92 KB, text/plain)
2018-08-16 15:11 CEST, Sönke Schwardt-Krummrich

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-08-16 11:58:04 CEST
A customer reported, if a school-admin resets the password of a teacher the flag 
'pwdMustChangeNextLogin' is reset by the s4-connector immediately.

The flag 'pwdMustChangeNextLogin' is set by default.

univention-app info
UCS: 4.3-1 errata126
Installed: cups=2.2.1 dhcp-server=12.0 kvm=2.8 samba4=4.7 squid=3.5 ucsschool=4.3 v4 uvmm=7.0

ii  univention-s4-connector             12.0.2-23A~

The s4-connector logfile with debug level 4 can be found at the ticket 2018081021000484
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-08-16 14:54:53 CEST
Further debugging has shown that this is primarily a display problem. The user's password has expired effectively, but the UDM property "passwordexpiry" returns "None". 
The appendix contains all LDAP changes of uid=m.mouse from 2018-08-10 of the customer. The first two changes are triggered by the UMC module "Passwörter (Lehrer)". The schooladmin h.simpson sets the password of m.mouse to a user-defined value and the UDM property pwdChangeNextLogin is set to 1. This change is performed in two distinct LDAP changes because of Bug 46067.

You can see that the S4-Connector/UDM changes the LDAP attributes relevant for the password process to an equivalent when the user object is changed (the third change in the log):

Old values:
shadowLastChange: 17751
shadowMax: 1
krb5PasswordEnd: 20180810000000Z

New values:
shadowLastChange: 0
sambaPwdMustChange: 0

In unmapPasswordExpiry() in users/user.py shadowLastChange != 0 and shadowMax != 0 are checked to show a password expiration date.
The UDM property "passwordexpiry" is used in the UMC module "Passwords (Teachers)" to indicate when the password must be changed. It was expected that the value "Now" would be displayed in the column. However, "Never" is still returned because "passwordexpiry" is set to "None".

I have currently no idea if this is a problem in UDM oder S4-Connector.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2018-08-16 15:11:05 CEST
Created attachment 9628 [details]
directory logger logfile

Additional note: whether the S4-Connector makes its "third" change in LDAP depends, among other things, on whether the same password is reused and whether the password had already expired before the change.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-08-20 09:28:30 CEST
The UDM/S4 behaviour breaks a new, long requested UCS@school feature:
the UCS@school password reset module shows "never" for the number of days left until the password has to be changed (instead of "now").
Comment 4 Christina Scheinig univentionstaff 2018-08-24 10:29:13 CEST
(In reply to Sönke Schwardt-Krummrich from comment #3)
> The UDM/S4 behaviour breaks a new, long requested UCS@school feature:
> the UCS@school password reset module shows "never" for the number of days
> left until the password has to be changed (instead of "now").

This happened in an other school environment. This is very confusing for the customer.
Comment 5 Arvid Requate univentionstaff 2018-09-05 00:53:50 CEST
I also fixed Bug #45282 because it touches the same code paths.

The first commit also fixes Bug #47508:

1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and
             don't reset shadowLastChange to 0
6373405003 | Refactor to improve log message for newpwdlastset
7ccc957a0c | Bug #47595 & Bug #45282: Changelog
900d47fc2d | Merge branch 'arequate/bug47595' into 4.3-2
83a2f0a248 | Bug #45282 & Bug #47595: Advisory
Comment 6 Arvid Requate univentionstaff 2018-09-05 16:41:04 CEST
Note: I had to revise my commit for Bug 47508 (see Bug 47508 Comment 6):

24fc6d4923 | Don't remove krb5PasswordEnd
Comment 7 Felix Botner univentionstaff 2018-09-13 09:41:19 CEST
works, the connector set shadowMax=1 for "pwd change on next login" otherwise to the policy value or None

OK - s4 connector test
OK - ucsschool Passwords module
OK - password change via UCS 
OK - password change via Samba

Comment 8 Philipp Hahn univentionstaff 2018-09-19 11:23:43 CEST