Issue #49014: ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin - 389-ds-base

389-ds-base

#49014 ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin

Closed: wontfix None Opened 7 years ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1379824

Description of problem: The output of ns-accountstatus.pl script is misleading.
Checking whether account is active/inactive for users which are inactivated by
account policy plugin, it shows account is activated.


Version-Release number of selected component (if applicable):
389-ds-base-1.3.5.10-11


How reproducible: Consistently with 389-ds-base-1.3.5 versions


Steps to Reproduce:
1. Install 389-ds-base-1.3.5.10-11 on RHEL7.3 machines.
2. Create an instance and configure global account policy plugin.

[root@ratangad ]# PORT=3989 ; ldapmodify -D "cn=Directory Manager" -w Secret123
-h localhost -p $PORT -x  -vf /export/Backups/AccountPolicy/Global.ldif

[root@ratangad ]# cat /export/Backups/AccountPolicy/Global.ldif
dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
replace: nsslapd-pluginarg0
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: alwaysrecordlogin
alwaysrecordlogin: yes
-
replace: stateattrname
stateattrname: lastLoginTime
-
replace: altstateattrname
altstateattrname: createTimestamp
-
replace: specattrname
specattrname: acctPolicySubentry
-
replace: limitattrname
limitattrname: accountInactivityLimit
-
replace: accountInactivityLimit
accountInactivityLimit: 120

3. Add few entries to the suffix, dc=example,dc=com

4. Wait for 120 secs and check if account is inactivated.
[root@ratangad slapd-M1]# PORT=3989 ;
USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-accountstatus.pl -D
"cn=Directory Manager" -w Secret123 -h localhost -p $PORT  -Z newinst3 -I
$USER3 -b $USER3 -f objectclass=*
uid=Anewnew1,ou=Testing,dc=test_accpol,dc=com - activated.

5. Check if the user is active by binding.
[ root@ratangad slapd-M1]#  PORT=3989;
USER="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; /usr/bin/ldapsearch -x -p
$PORT -h localhost -D "$USER" -w Secret123 -b "$USER"
ldap_bind: Constraint violation (19)
        additional info: Account inactivity limit exceeded. Contact system
administrator to reset.

Actual results: ns-accountstatus.pl shows wrong status for inactive users.


Expected results: It should print the correct status of user accounts.


Additional info:

There are test failures from account inactivity reliability tests, which we
didn't observe with 389-ds-base-1.3.4.0 builds.

RHEL73 - wiki-old.idm.lab.bos.redhat.com/qa/archive/beaker/RHDS/RHEL73/389-ds-b
ase-1.3.5.10-11.el7.x86_64/Tier2/output/Linux/20160914-140158/accountinact/reli
ability/accountinact_reliab.run.out.4592
RHEL72 - http://wiki-old.idm.lab.bos.redhat.com/qa/archive/beaker/x86_64/389-ds
-base-1.3.4.0-23.el7_2.x86_64/output/Linux/20160113-045003/accountinact/reliabi
lity/accountinact_reliab.run.out.4634


[root@ratangad slapd-M1]# PORT=3989 ;
USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-activate.pl -D
"cn=Directory Manager" -w Secret123 -h localhost -p $PORT  -Z newinst3 -I
$USER3
uid=Anewnew1,ou=testing,dc=test_accpol,dc=com already activated.

[root@ratangad slapd-M1]# PORT=3989 ;
USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-inactivate.pl -D
"cn=Directory Manager" -w Secret123 -h localhost -p $PORT  -Z newinst3 -I
$USER3
uid=Anewnew1,ou=testing,dc=test_accpol,dc=com inactivated.

[root@ratangad slapd-M1]# PORT=3989 ;
USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-accountstatus.pl -D
"cn=Directory Manager" -w Secret123 -h localhost -p $PORT  -Z newinst3 -I
$USER3 -b $USER3 -f objectclass=*
uid=Anewnew1,ou=Testing,dc=test_accpol,dc=com - inactivated (directly locked).

mreynolds commented 7 years ago

attachment
0001-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch

mreynolds commented 7 years ago

3a5cc4d..2e494bc master -> master
commit 2e494bc
Author: Mark Reynolds mreynolds@redhat.com
Date: Thu Oct 20 12:38:49 2016 -0400

99a34b4..1c6b1c9 389-ds-base-1.3.5 -> 389-ds-base-1.3.5
commit 1c6b1c9

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.5 backlog

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2073

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

mreynolds

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.3.5 backlog

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1379824

origin

389-ds-base

Source Code

#49014 ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin Closed: wontfix None Opened 7 years ago by mreynolds.

Metadata

#49014 ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin

Closed: wontfix None Opened 7 years ago by mreynolds.