#396 Account Usability Control Not Working
Closed: wontfix None Opened 11 years ago by nkinder.

https://bugzilla.redhat.com/show_bug.cgi?id=835238 (Red Hat Enterprise Linux 6)

Description of problem: Account Usability Control fails to give relevant error
messages for the password expired/account locked users.


Version-Release number of selected component (if applicable):
389-ds-base-1.2.11


How reproducible: Consistently


Steps to Reproduce:
1. Install latest 389-ds-base.
2. Configure Global password policy. Use pwpol.ldif
3. Create few user accounts and wait till account password is expired.
4. Bind as normal user with invalid password and lock the account.
5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option
with the Account Usable Control and check whether you get the right error
message.

OpenDS client libraries available in TET.
https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients

cat pwpol.ldif
dn: cn=config
changetype: modify
replace: passwordexp
passwordexp: on
-
replace: passwordhistory
passwordhistory: on
-
replace: passwordlockout
passwordlockout: on
-
replace: passwordlockoutduration
passwordlockoutduration: 600
-
replace: passwordmaxage
passwordmaxage: 300
-
replace: passwordmaxfailure
passwordmaxfailure: 3
-
replace: passwordminage
passwordminage: 0
-
replace: passwordresetfailurecount
passwordresetfailurecount: 60
-
replace: passwordunlock
passwordunlock: on
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA
-
replace: passwordwarning
passwordwarning: 180

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h
localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b
"cn=config" objectclass=*
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
Additional Information:  password expired!
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D
"cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b
"uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J
"accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com

--------
[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version
OpenDS Directory Server 2.3.0-build003
Build 20100611154447Z
--
           Name                 Build number         Revision number
Extension: snmp-mib2605         2.3.0-build003       6500
--------
PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123
-p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s
sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*"  "dn: uid=*"

Hence, marking the status as "ASSIGNED".
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com
--------

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h
localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234
-b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  19 (Constraint Violation)
Additional Information:  Exceed password retry limit. Please try later.
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D
"cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b
"uid=accusblockusr9,ou=People,dc=passwordexp,dc=com"  -s sub -J
"accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com
--------

Result: FAIL - Account Usability Response Control fails to produce useful
information about the user account. The similar kind of result is observed with
the "ldapsearch.pl" script provided in tet.

Actual results: Account Usable Control feature is not working.


Expected results: It should work as expected. It should give proper error
messages for the ldapsearch.

Fix Description: Commit 0038129
broke the feature. This patch is backing off the change so that
get_entry accepts NULL pblock, which is necessary for the
Account Usability plugin.

Reviewed by Rich (Thank you!!!)

$ git merge acctusability
Updating 3779e92..b2a9269
Fast-forward
ldap/servers/slapd/pw.c | 15 +++++--------
ldap/servers/slapd/pw_retry.c | 42 +++++++++++++++++++++++-----------------
2 files changed, 30 insertions(+), 27 deletions(-)

Pushed to master.

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.22 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
3779e92..b2a9269 master -> master

Steps to verify.

trunk Acceptance Password (pwdpolicy/pwpolicy)

===== [Pass/Fail] break down =====
Test Name PASS FAIL NORESULT
Password startup 100% (1/1)
password policy run 100% (306/306)

Added initial screened field value.

Metadata Update from @nkinder:
- Issue assigned to nhosoi
- Issue set to the milestone: 1.2.11.7

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/396

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata