Learn more about these different git repos.
Other Git URLs
assign a "managed role to user"
authenticate with lockuser //should PASS
inactivate users on LDAP server
ns-inactivate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"
authenticate with lockuser // should be denied
activate users in LDAP server
ns-activate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"
authenticate with lockuser
services = nss, pam
domains = LDAP
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_search_base = dc=example,dc=com
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
owner: somebody => lslebodn
After a small debugging and discussion with 389ds developers I found a reason.
Enabling and disabling user just changes the virtual attribute nsaccountlock. However virtual attributes are computed and not stored therefore modifyTimestamp is not changed for the user therefore sssd does not detected unlocking of user.
I think we need to special-case operational and virtual attributes, then. Do you have a setup I can use for testing?
I have a POC patch as well. But the question is which attributes to we need to special case. I doubt there is a way how to detect virtual attributes from LDAP server.
Maybe in schema but it would bot be very portable.
Yes, I was wondering actually whether we want to use the modifyTimestamp after all for positive detection as well (=if the timestamp is the same, consider the entry non-changed and go on) or if we only want to use it for detecting changes (=if the timestamp is different, change the entry, if it's not different, go on and try to compare the attributes).
It would be better to discuss on mailing list :-)
patch: 0 => 1
status: new => assigned
rhbz: => todo
milestone: NEEDS_TRIAGE => SSSD 1.14.1
resolution: => fixed
status: assigned => closed
rhbz: todo => 0
Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.14.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.