Univention Bugzilla – Full Text Bug Listing |
Summary: | Value of "passwordexpiry" is reset by the s4-connector | ||
---|---|---|---|
Product: | UCS | Reporter: | Christina Scheinig <scheinig> |
Component: | S4 Connector | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann, requate, schwardt |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=47518 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 4: Will affect most installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.229 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018081021000484, 2018082221000489 | Bug group (optional): | Usability |
Max CVSS v3 score: | |||
Bug Depends on: | 36317 | ||
Bug Blocks: | 47518 | ||
Attachments: | directory logger logfile |
Description
Christina Scheinig
2018-08-16 11:58:04 CEST
Further debugging has shown that this is primarily a display problem. The user's password has expired effectively, but the UDM property "passwordexpiry" returns "None". The appendix contains all LDAP changes of uid=m.mouse from 2018-08-10 of the customer. The first two changes are triggered by the UMC module "Passwörter (Lehrer)". The schooladmin h.simpson sets the password of m.mouse to a user-defined value and the UDM property pwdChangeNextLogin is set to 1. This change is performed in two distinct LDAP changes because of Bug 46067. You can see that the S4-Connector/UDM changes the LDAP attributes relevant for the password process to an equivalent when the user object is changed (the third change in the log): Old values: shadowLastChange: 17751 shadowMax: 1 krb5PasswordEnd: 20180810000000Z New values: shadowLastChange: 0 sambaPwdMustChange: 0 In unmapPasswordExpiry() in users/user.py shadowLastChange != 0 and shadowMax != 0 are checked to show a password expiration date. The UDM property "passwordexpiry" is used in the UMC module "Passwords (Teachers)" to indicate when the password must be changed. It was expected that the value "Now" would be displayed in the column. However, "Never" is still returned because "passwordexpiry" is set to "None". I have currently no idea if this is a problem in UDM oder S4-Connector. Created attachment 9628 [details]
directory logger logfile
Additional note: whether the S4-Connector makes its "third" change in LDAP depends, among other things, on whether the same password is reused and whether the password had already expired before the change.
The UDM/S4 behaviour breaks a new, long requested UCS@school feature: the UCS@school password reset module shows "never" for the number of days left until the password has to be changed (instead of "now"). (In reply to Sönke Schwardt-Krummrich from comment #3) > The UDM/S4 behaviour breaks a new, long requested UCS@school feature: > the UCS@school password reset module shows "never" for the number of days > left until the password has to be changed (instead of "now"). This happened in an other school environment. This is very confusing for the customer. I also fixed Bug #45282 because it touches the same code paths. The first commit also fixes Bug #47508: 1c9b6d9af5 | Don't remove shadowMax and krb5PasswordEnd and don't reset shadowLastChange to 0 6373405003 | Refactor to improve log message for newpwdlastset 7ccc957a0c | Bug #47595 & Bug #45282: Changelog 900d47fc2d | Merge branch 'arequate/bug47595' into 4.3-2 83a2f0a248 | Bug #45282 & Bug #47595: Advisory Note: I had to revise my commit for Bug 47508 (see Bug 47508 Comment 6): 24fc6d4923 | Don't remove krb5PasswordEnd works, the connector set shadowMax=1 for "pwd change on next login" otherwise to the policy value or None OK - s4 connector test OK - ucsschool Passwords module OK - password change via UCS OK - password change via Samba OK - YAML |