Bug 35013 - Make account-lockout-threshold configurable via UMC
Make account-lockout-threshold configurable via UMC
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.2
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-30 08:28 CEST by Stefan Gohmann
Modified: 2020-07-03 20:54 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
s4connector_sync_lockoutThreshold.patch (1.59 KB, patch)
2018-02-21 20:51 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-05-30 08:28:40 CEST
The account lockout domain setting can only be configured via samba-tool: 
 samba-tool domain passwordsettings set --account-lockout-threshold=2

This setting should be added to UMC (UDM: settings/sambadomain).
Comment 1 Arvid Requate univentionstaff 2014-10-30 18:10:50 CET
It should also be possible to set the attribute "lockoutThreshold" on the domain base.
Comment 2 Arvid Requate univentionstaff 2017-01-18 18:52:58 CET
See also Bug 31907
Comment 3 Arvid Requate univentionstaff 2017-01-18 18:56:47 CET
Wrong Bug number, I meant to refer to Bug 35809.
Comment 4 Arvid Requate univentionstaff 2017-09-18 16:20:50 CEST
udm settings/sambadomain has "badLockoutAttempts", which is backed by LDAP attribute sambaLockoutThreshold:

udm settings/sambadomain modify \
 --dn sambaDomainName=AR41I1,cn=samba,dc=ar41i1,dc=qa \
 --set badLockoutAttempts=5


So, the dc.py in univention-s4-connector needs to be extended to also sync the OpenLDAP attribute sambaLockoutThreshold to the AD attribute lockoutThreshold.
Comment 5 Arvid Requate univentionstaff 2018-02-21 20:51:25 CET
Created attachment 9413 [details]
s4connector_sync_lockoutThreshold.patch

The attached simple patch should fix this.

The third parameter in this context requires a little bit more work:

* resetCountMinutes / sambaLockoutObservationWindow / lockOutObservationWindow
  -> UDM syntax is integer, that should be changed to UNIX_TimeInterval,
     because it's a time interval in Active Directory too
Comment 6 Ingo Steuwer univentionstaff 2020-07-03 20:54:09 CEST
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.