From 2e494bc7e5e73f97e8a425b22706418ff8879336 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Oct 20 2016 21:10:35 +0000
Subject: Ticket 49014 - ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin


Bug Description:  ns-accountstatus.pl shows wrong status for accounts inactivated
                  by inactivity.  If there is no acct policy subentry the wrong
                  basedn was used to get the inactivity limit.  This prevented the
                  script from detecting if an account was inactivated due to inactivity.

Fix Description:  If there is no subentry, then use the existing config entry
                  to get the inactivity limit.

https://fedorahosted.org/389/ticket/49014

Reviewed by: nhosoi(Thanks!)

---

diff --git a/ldap/admin/src/scripts/ns-accountstatus.pl.in b/ldap/admin/src/scripts/ns-accountstatus.pl.in
index 37fc7fa..a20d2df 100644
--- a/ldap/admin/src/scripts/ns-accountstatus.pl.in
+++ b/ldap/admin/src/scripts/ns-accountstatus.pl.in
@@ -474,7 +474,7 @@ sub getAcctPolicy
     close(LDAP1);
 
     #
-    # Now, get the DN for the cos template from the entry
+    # Now, get the DN for the account policy subEntry from the entry (if available)
     #
     $srch{base} = $entry;
     $srch{filter} = "(objectclass=*)";
@@ -486,14 +486,19 @@ sub getAcctPolicy
         s/\n //g;
         if (/^$cosspecattr: (.*)/i){
             $templateDN = $1;
+            break;
         }
     }
     close(LDAP1);
 
     #
-    # Get the inactivity limit from the template]
+    # Get the inactivity limit
     #
-    $srch{base} = $templateDN;
+    $srch{base} = $configentry;
+    if ($templateDN){
+        # Use subEntry DN
+        $srch{base} = $templateDN;
+    }
     $srch{filter} = "($limitattr=*)";
     $srch{scope} = "base";
     $srch{attrs} = "$limitattr";