#3110 Access denied after activating user in 389ds
Closed: Fixed None Opened 5 years ago by lslebodn.

Reproducer:

  • sssd connected to 389ds
  • create lockuser in LDAP
  • assign a "managed role to user"

        dn: uid=lockuser,ou=people,dc=example,dc=com
        changetype: modify
        add: nsRoleDN
        nsRoleDN: cn=managed,ou=people,dc=example,dc=com
    
  • authenticate with lockuser //should PASS

  • inactivate users on LDAP server

    ns-inactivate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"

  • authenticate with lockuser // should be denied

  • activate users in LDAP server

    ns-activate.pl -D "cn=Manager,dc=example,dc=com" -W -p 389 -h $SERVER -I cn=managed,ou=people,dc=example,dc=com"

  • authenticate with lockuser

Expected result:

  • The user lockuser should be able to authenticate

Current result:

  • The user lockuser is still locked

sssd.conf:

    [sssd]
    services = nss, pam
    domains = LDAP

    [nss]

    [pam]

    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldap://$SERVER
    ldap_search_base = dc=example,dc=com
    ldap_tls_cacert = /etc/openldap/certs/cacert.asc

Fields changed

owner: somebody => lslebodn

After a small debugging and discussion with 389ds developers I found a reason.

Enabling and disabling user just changes the virtual attribute nsaccountlock. However virtual attributes are computed and not stored therefore modifyTimestamp is not changed for the user therefore sssd does not detected unlocking of user.

I think we need to special-case operational and virtual attributes, then. Do you have a setup I can use for testing?

I have a POC patch as well. But the question is which attributes to we need to special case. I doubt there is a way how to detect virtual attributes from LDAP server.
Maybe in schema but it would bot be very portable.

Yes, I was wondering actually whether we want to use the modifyTimestamp after all for positive detection as well (=if the timestamp is the same, consider the entry non-changed and go on) or if we only want to use it for detecting changes (=if the timestamp is different, change the entry, if it's not different, go on and try to compare the attributes).

It would be better to discuss on mailing list :-)

Fields changed

patch: 0 => 1
status: new => assigned

Fields changed

rhbz: => todo

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.1

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: todo => 0

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.14.1

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4143

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata