Password expiration warning and change prompt not working for LDAP user

Brief Description
-------------------------------------------

Password warning msg is not shown when ldap user is created with 'password_change_period=1' and login as ldap user.

Password warning msg is
Warning: your password will expire in 1 day

Additionally, password change prompt is not shown when the password has expired.

Severity
-------------------------------------------
Standard

Steps to Reproduce
-------------------------------------------

Password about to expire warning:

Manual:

    create secure inventory

~(keystone_admin)]$ ansible-vault create secure-inventory
# This will open a text editor where you can fill the inventory parameters as shown on the example below:[all:vars]
ansible_user=sysadmin
ansible_password=Li69nux*
ansible_become_pass=Li69nux*[systemcontroller]
systemcontroller-0 ansible_host=127.0.0.1

2. create ldapuser01 with password_change_period=1

Send 'ansible-playbook --verbose --inventory secure-inventory --ask-vault-pass --extra-vars='mode=create user_id=ldapuser01 password_change_period=1' /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml'

 3. verify user is listed in openstack

Send 'openstack --os-username 'admin' --os-password 'Li69nux*' --os-project-name admin --os-auth-url http://[abcd:204::1]:5000/v3 --os-user-domain-name Default --os-project-domain-name Default --os-identity-api-version 3 --os-interface internal --os-region-name RegionOne user list'
[2022-11-07 13:49:58,311] 548 DEBUG MainThread ssh.exec_cmd:: Expecting \[.*@controller\-[01] .*\(keystone_admin\)\]\$ in prompt
 473 DEBUG MainThread ssh.expect :: Output:
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 2a2af8ef02834c3db5dca9604bf06150 | mtce |
| b4b943e0598d40698e968acb79a4e347 | barbican |
| bb688a85b691496bae7dd85379497b45 | sysinv |
| 335752a0f2f34d468518a99ef4bd90c4 | fm |
| ac1c1805f9674794889cec2b692c7d50 | patching |
| e29cb66f00694937ade420269f51897c | vim |
| b2f03184265b4e9c9322c1d04b2025ef | smapi |
| c9e9c9c954374f96a38411c02f7e2ae2 | admin |
| 6b049d804a1d418b9e9c4fe1e525eee2 | ldapuser01 |
+----------------------------------+------------+

4. login as ldapuser01

ldapuser01@controller-1's password:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.Linux controller-1 5.10.0-6-rt-amd64 #1 SMP PREEMPT_RT StarlingX Debian 5.10.112-1.stx.24 (2022-11-09 x86_64
Last login: Wed Nov 9 17:03:03 2022 from face::2
ldapuser01@controller-1:~$

Expected Behavior

[2022-10-08 04:23:40,784] 351 DEBUG MainThread ssh.send :: Send 'ssh -l ldapuser01 -o UserKnownHostsFile=/dev/null controller-1'
[2022-10-08 04:23:40,865] 473 DEBUG MainThread ssh.expect :: Output:
The authenticity of host 'controller-1 (abcd:204::3)' can't be established.
ECDSA key fingerprint is SHA256:NuSfq4Zw3nE1KaxZqm3fXsUybmzwV+Z+d6D+pXdWRbo.
ECDSA key fingerprint is MD5:90:0f:18:e7:75:f7:31:38:20:6a:34:34:d6:9b:b0:c8.
Are you sure you want to continue connecting (yes/no)?

[2022-10-08 04:23:40,867] 351 DEBUG MainThread ssh.send :: Send 'yes'
[2022-10-08 04:23:40,923] 473 DEBUG MainThread ssh.expect :: Output:
Warning: Permanently added 'controller-1,abcd:204::3' (ECDSA) to the list of known hosts.
Release 22.12
------------------------------------------------------------------------
W A R N I N G *** W A R N I N G *** W A R N I N G *** W A R N I N G ***
------------------------------------------------------------------------
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use.
All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security. Monitoring includes active
attacks by authorized personnel and their entities to test or verify the
security of the system. During monitoring, information may be examined,
recorded, copied and used for authorized purposes. All information including
personal information, placed on or sent over this system may be monitored. Uses
of this system, authorized or unauthorized, constitutes consent to monitoring
of this system. Unauthorized use may subject you to criminal prosecution.
Evidence of any such unauthorized use collected during monitoring may be used
for administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.

ldapuser01@controller-1's password:

[2022-10-08 04:23:40,924] 351 DEBUG MainThread ssh.send :: Send 'Li69nux*'
[2022-10-08 04:23:41,132] 473 DEBUG MainThread ssh.expect :: Output:
Warning: your password will expire in 1 day
Last login: Sat Oct 8 04:23:14 2022 from 127.0.0.1
/etc/motd.d/00-header:


WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

]0;ldapuser01@controller-1:~[?1034hcontroller-1:~$
[2022-10-08 04:23:41,132] 351 DEBUG MainThread ssh.send :: Send 'exit'
[2022-10-08 04:23:41,182] 113 INFO MainThread tis_log.tc_step ::

Actual Behavior

[sysadmin@controller-0 ~(keystone_admin)]$ ssh ldapuser01@controller-1
Release 22.12
------------------------------------------------------------------------
W A R N I N G *** W A R N I N G *** W A R N I N G *** W A R N I N G ***
------------------------------------------------------------------------
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use.
All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security. Monitoring includes active
attacks by authorized personnel and their entities to test or verify the
security of the system. During monitoring, information may be examined,
recorded, copied and used for authorized purposes. All information including
personal information, placed on or sent over this system may be monitored. Uses
of this system, authorized or unauthorized, constitutes consent to monitoring
of this system. Unauthorized use may subject you to criminal prosecution.
Evidence of any such unauthorized use collected during monitoring may be used
for administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
ldapuser01@controller-1's password:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.Linux controller-1 5.10.0-6-rt-amd64 #1 SMP PREEMPT_RT StarlingX Debian 5.10.112-1.stx.24 (2022-11-09 x86_64
Last login: Wed Nov 9 17:03:03 2022 from face::2
ldapuser01@controller-1:~$

Expired password prompt not showing up:

After further analysis, it turns out that this is a bigger issue where passwords are not expiring for LDAP users.

In order to reproduce this second bug:

1) Create user with a 1 day password validity:

ldapusersetup -u ldap_user1 --sudo --secondgroup sys_protected --passmax 1 --passwarning 2

2) Now login with the user, for the first time, what should prompt a password change:

ssh ldap_user1@localhost

3) Logout from ldap_user1

exit

4) Change os date to 3 days in the future:

sudo date -s "Tue Mar 14 06:33:37 UTC 2023" # example command

5) Now login again with the user:

ssh ldap_user1@localhost

Expected behavior:

User should see a prompt asking them to change their passwords:

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

====================================================================
         SYSTEM: vbox
====================================================================
Linux controller-0 5.10.0-6-amd64 #1 SMP PREEMPT StarlingX Debian 5.10.162-1.stx.31 (2023-02-07) x86_64
Last login: Tue Mar 14 21:37:21 2023 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for ldap_user1.
Current Password:

Actual behavior:

User is able to login:

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

====================================================================
         SYSTEM: vbox
====================================================================
Linux controller-0 5.10.0-6-amd64 #1 SMP PREEMPT StarlingX Debian 5.10.162-1.stx.31 (2023-02-07) x86_64
Last login: Tue Mar 14 21:37:57 2023 from 127.0.0.1
ldap_user1@controller-0:~$

Reproducibility
-------------------------------------------
Reproducible

Last Pass
-------------------------------------------
Never PASS on Debian.

Alarms
-------------------------------------------
NA

Test Activity
-------------------------------------------
Regression Testing

Workaround
-------------------------------------------
Describe workaround if available