Users in a OU without password expiration policy being requested a password change

Solution Verified - Updated -

Environment

Red Hat Directory Server 8

Issue

The users created under the a Organizational Unit which does not contain a password expiration policy, defined as Password never expires, are requested for a password change after its login.

Resolution

Remove the LDAP shadow* attributes from the affected account.

Root Cause

The pam_ldap relies in LDAP bind operation return code to evaluate what's the status of a given account.
The presence of the shadow* attributes bypasses the LDAP parsing and thus, breaking the RHDS control of password expiration.

Diagnostic Steps

Run a ldapsearch, inquiring for the affected account:

[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser
# extended LDIF
#
# LDAPv3
# base <ou=prod,dc=example,dc=com> with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, prod, example.com
dn: uid=testuser,ou=Users,ou=prod,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgperson
objectClass: shadowAccount
objectClass: top
objectClass: organizationalPerson
objectClass: person
uid: testuser
cn: testuser
givenName: testuser
sn: testuser
mail: testuser@example.com
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/testuser
loginShell: /bin/bash
description: testuser
shadowLastChange: 0
shadowMax: 99999
shadowWarning: 7

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Narrowing down the search, we can see some shadow* attributes in the account:

[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser | egrep '^shadow'
shadowLastChange: 0
shadowMax: 99999
shadowWarning: 7

A correct account:

[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser
# extended LDIF
#
# LDAPv3
# base <ou=prod,dc=example,dc=com> with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, prod, example.com
dn: uid=testuser,ou=Users,ou=prod,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgperson
objectClass: shadowAccount
objectClass: top
objectClass: organizationalPerson
objectClass: person
uid: testuser
cn: testuser
givenName: testuser
sn: testuser
mail: testuser@example.com
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/testuser
loginShell: /bin/bash
description: testuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Narrowing down:

[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser | egrep '^shadow'
[rfreire@rf ~]$ 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments