https://bugzilla.redhat.com/show_bug.cgi?id=835238 (Red Hat Enterprise Linux 6)
Description of problem: Account Usability Control fails to give relevant error messages for the password expired/account locked users. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11 How reproducible: Consistently Steps to Reproduce: 1. Install latest 389-ds-base. 2. Configure Global password policy. Use pwpol.ldif 3. Create few user accounts and wait till account password is expired. 4. Bind as normal user with invalid password and lock the account. 5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option with the Account Usable Control and check whether you get the right error message. OpenDS client libraries available in TET. https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients cat pwpol.ldif dn: cn=config changetype: modify replace: passwordexp passwordexp: on - replace: passwordhistory passwordhistory: on - replace: passwordlockout passwordlockout: on - replace: passwordlockoutduration passwordlockoutduration: 600 - replace: passwordmaxage passwordmaxage: 300 - replace: passwordmaxfailure passwordmaxfailure: 3 - replace: passwordminage passwordminage: 0 - replace: passwordresetfailurecount passwordresetfailurecount: 60 - replace: passwordunlock passwordunlock: on - replace: passwordStorageScheme passwordStorageScheme: SSHA - replace: passwordwarning passwordwarning: 180 [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b "cn=config" objectclass=* The simple bind attempt failed Result Code: 49 (Invalid Credentials) Additional Information: password expired! -------- [root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com" -s sub -J "accountusability:true" "objectClass=*" "dn: uid=*" # Account Usability Response Control # The account is usable dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com -------- [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version OpenDS Directory Server 2.3.0-build003 Build 20100611154447Z -- Name Build number Revision number Extension: snmp-mib2605 2.3.0-build003 6500 -------- PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com" -s sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*" "dn: uid=*" Hence, marking the status as "ASSIGNED". # Account Usability Response Control # The account is usable dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com -------- [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234 -b "cn=config" objectclass=* The simple bind attempt failed Result Code: 19 (Constraint Violation) Additional Information: Exceed password retry limit. Please try later. -------- [root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusblockusr9,ou=People,dc=passwordexp,dc=com" -s sub -J "accountusability:true" "objectClass=*" "dn: uid=*" # Account Usability Response Control # The account is usable dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com -------- Result: FAIL - Account Usability Response Control fails to produce useful information about the user account. The similar kind of result is observed with the "ldapsearch.pl" script provided in tet. Actual results: Account Usable Control feature is not working. Expected results: It should work as expected. It should give proper error messages for the ldapsearch.
git patch file (master) 0001-Trac-Ticket-396-Account-Usability-Control-Not-Workin.patch
Fix Description: Commit 0038129 broke the feature. This patch is backing off the change so that get_entry accepts NULL pblock, which is necessary for the Account Usability plugin.
Reviewed by Rich (Thank you!!!)
$ git merge acctusability Updating 3779e92..b2a9269 Fast-forward ldap/servers/slapd/pw.c | 15 +++++-------- ldap/servers/slapd/pw_retry.c | 42 +++++++++++++++++++++++----------------- 2 files changed, 30 insertions(+), 27 deletions(-)
Pushed to master.
$ git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 1.22 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 3779e92..b2a9269 master -> master
Steps to verify.
trunk Acceptance Password (pwdpolicy/pwpolicy)
===== [Pass/Fail] break down ===== Test Name PASS FAIL NORESULT Password startup 100% (1/1) password policy run 100% (306/306)
Added initial screened field value.
Metadata Update from @nkinder: - Issue assigned to nhosoi - Issue set to the milestone: 1.2.11.7
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/396
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.