Ticket #396 (closed defect: fixed)

Opened 22 months ago

Last modified 22 months ago

Account Usability Control Not Working

Reported by: nkinder Owned by: nhosoi
Priority: major Milestone: 1.2.11.7
Component: Directory Server Version:
Keywords: Cc:
Blocked By: Blocking:
Review: ack Ticket origin:
Red Hat Bugzilla: 835238

Description

https://bugzilla.redhat.com/show_bug.cgi?id=835238 (Red Hat Enterprise Linux 6)

Description of problem: Account Usability Control fails to give relevant error
messages for the password expired/account locked users.


Version-Release number of selected component (if applicable):
389-ds-base-1.2.11


How reproducible: Consistently


Steps to Reproduce:
1. Install latest 389-ds-base.
2. Configure Global password policy. Use pwpol.ldif
3. Create few user accounts and wait till account password is expired.
4. Bind as normal user with invalid password and lock the account.
5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option
with the Account Usable Control and check whether you get the right error
message.

OpenDS client libraries available in TET.
https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients

cat pwpol.ldif
dn: cn=config
changetype: modify
replace: passwordexp
passwordexp: on
-
replace: passwordhistory
passwordhistory: on
-
replace: passwordlockout
passwordlockout: on
-
replace: passwordlockoutduration
passwordlockoutduration: 600
-
replace: passwordmaxage
passwordmaxage: 300
-
replace: passwordmaxfailure
passwordmaxfailure: 3
-
replace: passwordminage
passwordminage: 0
-
replace: passwordresetfailurecount
passwordresetfailurecount: 60
-
replace: passwordunlock
passwordunlock: on
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA
-
replace: passwordwarning
passwordwarning: 180

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h
localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b
"cn=config" objectclass=*
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
Additional Information:  password expired!
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D
"cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b
"uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J
"accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com

--------
[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version
OpenDS Directory Server 2.3.0-build003
Build 20100611154447Z
--
           Name                 Build number         Revision number
Extension: snmp-mib2605         2.3.0-build003       6500
--------
PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123
-p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s
sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*"  "dn: uid=*"

Hence, marking the status as "ASSIGNED".
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com
--------

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h
localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234
-b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  19 (Constraint Violation)
Additional Information:  Exceed password retry limit. Please try later.
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D
"cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b
"uid=accusblockusr9,ou=People,dc=passwordexp,dc=com"  -s sub -J
"accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com
--------

Result: FAIL - Account Usability Response Control fails to produce useful
information about the user account. The similar kind of result is observed with
the "ldapsearch.pl" script provided in tet.

Actual results: Account Usable Control feature is not working.


Expected results: It should work as expected. It should give proper error
messages for the ldapsearch.

Attachments

0001-Trac-Ticket-396-Account-Usability-Control-Not-Workin.patch (4.3 KB) - added by nhosoi 22 months ago.
git patch file (master)

Change History

Changed 22 months ago by nhosoi

git patch file (master)

comment:1 Changed 22 months ago by nhosoi

  • Review changed from Needs Review to review?

Fix Description: Commit 003812911f56619f0db58ba627037644fb0f68fb
broke the feature. This patch is backing off the change so that
get_entry accepts NULL pblock, which is necessary for the
Account Usability plugin.

comment:2 Changed 22 months ago by nhosoi

  • Owner changed from rmeggins to nhosoi
  • Status changed from new to assigned

comment:3 Changed 22 months ago by rmeggins

  • Review changed from review? to ack

comment:4 Changed 22 months ago by nhosoi

  • Status changed from assigned to closed
  • Resolution set to fixed

Reviewed by Rich (Thank you!!!)

$ git merge acctusability
Updating 3779e92..b2a9269
Fast-forward

ldap/servers/slapd/pw.c | 15 +++++--------
ldap/servers/slapd/pw_retry.c | 42 +++++++++++++++++++++++-----------------
2 files changed, 30 insertions(+), 27 deletions(-)

Pushed to master.

$ git push
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.22 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git

3779e92..b2a9269 master -> master

comment:5 Changed 22 months ago by nhosoi

Steps to verify.

trunk Acceptance Password (pwdpolicy/pwpolicy)

[Pass/Fail?] break down

Test Name PASS FAIL NORESULT
Password startup 100% (1/1)
password policy run 100% (306/306)

comment:6 Changed 22 months ago by nkinder

  • Milestone changed from 0.0 NEEDS_TRIAGE to 1.2.11.7

comment:7 Changed 20 months ago by nkinder

  • screened set to 1

Added initial screened field value.

Note: See TracTickets for help on using tickets.