docs/doc/source/security/kubernetes/local-ldap-user-password-expiry-mechanism-eba5d34abbd4.rst
Juanita Balaraj a29d5a76f2 Updates for password expiry on subclouds for LDAP users (dsr8MR2; dsr8MR3)
Replaced note
updated patchset 3 comments
Updated patchset 2 comments and added an additional note
Updated Patchset 1 comments and added an additional note

Change-Id: Icf617e27827e263a1b71155e76eb671f12d254cf
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2024-04-03 22:22:03 +00:00

5.0 KiB

Local LDAP user password expiry control

Password expiry control for local openLDAP users is based on a solution. The solution uses configuration for a shadow password expiry policy based on openLDAP password policy control schema, see https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-10.html.

Setting shadow password expiry information in local server

When creating a local user with localusersetup command or using the playbook, the following input data needs to be provided:

For example:

Enter days after which user password must be changed [90]: 30 Successfully modified user entry uid=usertest1,ou=People,dc=test,dc=local in Updating password expiry to 30 days.

In the example above this input sets shadowMax attribute for the user "usertest1".

For example:

Enter days before the password is to expire that user is warned [2]: 14 Successfully modified user entry uid=usertest1,ou=People,dc=test,dc=local in LDAP Updating password expiry to 14 days.

In the example above this input sets shadowWarning attribute for the user "usertest1".

Important

Always set the shadowMax value higher than the `shadowWarning value.

The user entry can be checked with the following command:

[sysadmin@controller-0 ~(keystone_admin)]$ /var/home/sysadmin# sudo ldapfinger usertest1

dn: uid=usertest1,ou=People,dc=test,dc=local
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: usertest1
uid: usertest1
uidNumber: 10002
gidNumber: 100
homeDirectory: /home/usertest1
gecos: usertest1
description: User account
loginShell: /bin/bash
shadowMax: 30
shadowWarning: 14
userPassword: <encrypted password>
shadowLastChange: 19574

Note

has been configured to use the shadow password policy by setting parameter ldap_pwd_policy=shadow. As a result, the parameters, ldap_user_shadow_max and ldap_user_shadow_warning map to the user attributes "shadowMax" and "shadowWarning" respectively.

Password Expiry behavior on a running system

Every node where client is running, in either standalone or Distributed Cloud system configurations, the following behavior will be observed.

  • At login time, including connections, the user will be prompted to change the password when password has expired according to the expiry period set at user account creation (shadowMax).
  • A password expiration warning will appear at login time to notify the user in advance, according to the configured warning time set at the user account creation (shadowWarning).
  • A warning that the password has expired is logged in "/var/log/auth.log".

Depending on how much time is left until the password expiration, the user will be notified with the time left until expiry.

  • If there is more than one day until expiry, the user will be notified with the number of days left.
  • If there is less than a day till password expiry, the notification will be in number of hours.
  • If it is less than one hour until expiry the notification will be in number of minutes.

For example,

  • "Your password will expire in 2 day(s)." or
  • "Your password will expire in 45 minute(s)."

Note

The password expiry warning is displayed as a duplicate message at login.

For example:

usertest2@<host IP address>'s password: Your password will expire in 1 day(s). Your password will expire in 1 day(s).

This is normal behavior because the messages are posted by 2 different sources that check password expiry.

The source of the 2 notifications for password expiry can be found in the "/var/log/auth.log". One notification comes from "sshd" and the 2nd from"sudo".

Example:

2023-08-09T02:25:29.375 controller-0 sshd[1788048]: info pam_sss(sshd:account): User info message: Your password will expire in 21 hour(s).

2023-08-09T02:25:29.377 controller-0 sshd[1788048]: info Accepted password for usertest3 from <ip addr> port <port_number> ssh2

...

2023-08-09T02:27:03.284 controller-0 sudo: info pam_sss(sudo:account): User info message: Your password will expire in 21 hour(s).

Note

Password expiration warning gets triggered when the regular user is using ssh to connect to the node the user needs access to and its password has reached the threshold for a warning before it expires. The first warning message may occur with a delay. This is due to time calculation and synchronization mechanism with the server.