Small issue in handling of `shadowMax` attribute of `shadowAccount`

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dark Colour <thedarkcolour [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Small issue in handling of `shadowMax` attribute of `shadowAccount`
Date: Sat, 16 Aug 2025 10:41:52 -0700

Hi,

I encountered an issue where nss-pam-ldapd interprets 0 and negative values of shadowMax to mean that an LDAP user's password has expired. On other operating systems that use sssd, nss-ldap, and ypldap, 0 is interpreted as "never expires," but nss-pam-ldapd is hardcoded to only interpret a value of -1 (the default if the attribute is missing) as "never expires."

The fix is changing line 354 in ./nslcd/pam.c from this:
else if (maxdays != -1)
{
/* check maxdays */
daysleft = lastchangedate + maxdays - today;
if (daysleft == 0)
mysnprintf(authzmsg, authzmsgsz - 1, "Password will expire today");
else if (daysleft < 0)
mysnprintf(authzmsg, authzmsgsz - 1, "Password expired %ld days ago",
-daysleft);

to this:

else if (maxdays > 0)

I've described the issue in more detail on GitHub, but I wasn't sure if that was the best way to reach you:
https://github.com/arthurdejong/nss-pam-ldapd/issues/75

Thank you for working on this project.

Small issue in handling of `shadowMax` attribute of `shadowAccount`, Dark Colour

Prev by Date: Re: ID Command Hanging During Group Retrieval via nslcd
Previous by thread: Re: ID Command Hanging During Group Retrieval via nslcd