Bug 47802 – Uncheck "User has to change password on next login" removes shadowMax (although there is a global pw policy)

Bug 47802 - Uncheck "User has to change password on next login" removes shadowMax (although there is a global pw policy)


Summary:	Uncheck "User has to change password on next login" removes shadowMax (althou...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - Users
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-09-12 14:51 CEST by Felix Botner
Modified:	2021-05-03 21:48 CEST (History)
CC List:	1 user (show)

See Also:	46067
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2018-09-12 14:51:22 CEST

I have a user with

 shadowMax: 40
 shadowLastChange: 17745
 sambaPwdLastSet: 0
 krb5PasswordEnd: 20180912000000Z

shadowMax 40 comes from the default pw policy

 DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=four,dc=three
  expiryInterval: 40
  ldapFilter: None
  length: 3
  name: default-settings
  pwLength: 8
  pwQualityCheck: None

Now i set "User has to change password on next login" and save, then uncheck "User has to change password on next login" again and shadowMax is now gone.

There is no password expiry for this user now.

This seems to be an issue in usres/user _modlist_password_expiry(). We should set the shadowMax to the value of pwhistoryPolicy.expiryInterval if existing or ''

I also do not understand

         if not pwhistoryPolicy.expiryInterval and not self.hasChanged('pwdChangeNextLogin'):
            # An empty field means that password aging features are disabled.
            shadowLastChange = ''

Why would we ever need to unset shadowLastChange?

Comment 1 Florian Best

2019-03-17 14:21:43 CET

(In reply to Felix Botner from comment #0)
> I also do not understand
> 
>          if not pwhistoryPolicy.expiryInterval and not
> self.hasChanged('pwdChangeNextLogin'):
>             # An empty field means that password aging features are disabled.
>             shadowLastChange = ''
> 
> Why would we ever need to unset shadowLastChange?

The code exists for if the expiryInterval was removed/set to 0. Then the value must be unset.
If you have such a policy "cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=four,dc=three" with "expiryInterval: 40" then:
"not pwhistoryPolicy.expiryInterval" would not be true because expiryInterval would contain "40".

So the behavior of that line is correct. Do you agree?

It would probably be nice to have a test case for all possible combinations.
See also Bug #46067.