Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1379824
Description of problem: The output of ns-accountstatus.pl script is misleading. Checking whether account is active/inactive for users which are inactivated by account policy plugin, it shows account is activated. Version-Release number of selected component (if applicable): 389-ds-base-1.3.5.10-11 How reproducible: Consistently with 389-ds-base-1.3.5 versions Steps to Reproduce: 1. Install 389-ds-base-1.3.5.10-11 on RHEL7.3 machines. 2. Create an instance and configure global account policy plugin. [root@ratangad ]# PORT=3989 ; ldapmodify -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -x -vf /export/Backups/AccountPolicy/Global.ldif [root@ratangad ]# cat /export/Backups/AccountPolicy/Global.ldif dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes - replace: stateattrname stateattrname: lastLoginTime - replace: altstateattrname altstateattrname: createTimestamp - replace: specattrname specattrname: acctPolicySubentry - replace: limitattrname limitattrname: accountInactivityLimit - replace: accountInactivityLimit accountInactivityLimit: 120 3. Add few entries to the suffix, dc=example,dc=com 4. Wait for 120 secs and check if account is inactivated. [root@ratangad slapd-M1]# PORT=3989 ; USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-accountstatus.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z newinst3 -I $USER3 -b $USER3 -f objectclass=* uid=Anewnew1,ou=Testing,dc=test_accpol,dc=com - activated. 5. Check if the user is active by binding. [ root@ratangad slapd-M1]# PORT=3989; USER="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; /usr/bin/ldapsearch -x -p $PORT -h localhost -D "$USER" -w Secret123 -b "$USER" ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset. Actual results: ns-accountstatus.pl shows wrong status for inactive users. Expected results: It should print the correct status of user accounts. Additional info: There are test failures from account inactivity reliability tests, which we didn't observe with 389-ds-base-1.3.4.0 builds. RHEL73 - wiki-old.idm.lab.bos.redhat.com/qa/archive/beaker/RHDS/RHEL73/389-ds-b ase-1.3.5.10-11.el7.x86_64/Tier2/output/Linux/20160914-140158/accountinact/reli ability/accountinact_reliab.run.out.4592 RHEL72 - http://wiki-old.idm.lab.bos.redhat.com/qa/archive/beaker/x86_64/389-ds -base-1.3.4.0-23.el7_2.x86_64/output/Linux/20160113-045003/accountinact/reliabi lity/accountinact_reliab.run.out.4634 [root@ratangad slapd-M1]# PORT=3989 ; USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z newinst3 -I $USER3 uid=Anewnew1,ou=testing,dc=test_accpol,dc=com already activated. [root@ratangad slapd-M1]# PORT=3989 ; USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-inactivate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z newinst3 -I $USER3 uid=Anewnew1,ou=testing,dc=test_accpol,dc=com inactivated. [root@ratangad slapd-M1]# PORT=3989 ; USER3="uid=Anewnew1,ou=testing,dc=test_accpol,dc=com"; ns-accountstatus.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z newinst3 -I $USER3 -b $USER3 -f objectclass=* uid=Anewnew1,ou=Testing,dc=test_accpol,dc=com - inactivated (directly locked).
attachment 0001-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch
3a5cc4d..2e494bc master -> master commit 2e494bc Author: Mark Reynolds mreynolds@redhat.com Date: Thu Oct 20 12:38:49 2016 -0400
99a34b4..1c6b1c9 389-ds-base-1.3.5 -> 389-ds-base-1.3.5 commit 1c6b1c9
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.5 backlog
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2073
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.