Univention Bugzilla – Bug 24185
Account deactivation is set wrong when setting Account expiry date
Last modified: 2018-04-13 13:30:16 CEST
Ich habe einen Benutzer für den die Konto-Deaktivierung auf "Alle deaktiviert" steht (disabled: all). Wenn ich nun ein (vorhandenes) Kontoablauf-Datum ändere, wird die Konto-Deaktivierung automatisch auf "Windows and Kerberos disabled" gesetzt (disabled: windows_kerberos).
Still applies to UCS-4.0. Might be relevant for Bug #36747.
*** Bug 33394 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
*** This bug has been marked as a duplicate of bug 45287 ***
Not a exact duplicate but similar.
root@master:~# udm users/user create --set username=bug24185 --set lastname=foo --set password=univention Object created: uid=bug24185,dc=school,dc=local root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 1.ldif root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all --set userexpiry=2017-10-10 Object modified: uid=bug24185,dc=school,dc=local root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 2.ldif root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry disabled: windows_kerberos userexpiry: 2017-10-10 root@master:~# ldiff 1.ldif 2.ldif dn: uid=bug24185,dc=school,dc=local +shadowExpire: 17449 +sambaKickoffTime: 1507586400 +sambaAcctFlags: [UD ] -sambaAcctFlags: [U ] +krb5ValidEnd: 20171010000000Z +krb5KDCFlags: 254 -krb5KDCFlags: 126 root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all Object modified: uid=bug24185,dc=school,dc=local root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 3.ldif root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry disabled: all userexpiry: 2017-10-10 root@master:~# ldiff 2.ldif 3.ldif dn: uid=bug24185,dc=school,dc=local -shadowExpire: 17449 +shadowExpire: 1
The code is the following: https://git.knut.univention.de/univention/ucs/blob/4.2-2/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py#L2290 If userexpiry is set then shadowExpire is set to that date. This is imho also correct behavior. Maybe we could instead check if the set date in shadowExpire is in the past and append posix to "disabled" in that case. Then the displaying in UMC is at least correct if the user account is already expired.
(In reply to Florian Best from comment #7) > Maybe we could instead check if the set date in shadowExpire is in the past > and append posix to "disabled" in that case. Then the displaying in UMC is > at least correct if the user account is already expired. Hmm, this seems to be already the case?!: open(): 1607 » » » » if shadowExpire == '1' or (shadowExpire < int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or self._is_windows_disabled())): 1608 » » » » » self.__add_disabled('posix')
(In reply to Florian Best from comment #8) > Hmm, this seems to be already the case?!: > open(): > 1607 » » » » if shadowExpire == '1' or (shadowExpire < > int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or > self._is_windows_disabled())): > 1608 » » » » » self.__add_disabled('posix') I would have expected something like this: _is_kerberos_disabled() -> self._add_disabled('kerberos')? _is_windows_disbaled() -> self._add_disabled('windows')? (In reply to Florian Best from comment #7) > Maybe we could instead check if the set date in shadowExpire is in the past > and append posix to "disabled" in that case. I would name it "expired" if now() > shadowExpire, as that makes it clearer, that the account expired (automatically) through the set expiry date, rather then being disabled manually by the admin .
(In reply to Philipp Hahn from comment #9) > (In reply to Florian Best from comment #8) > > Hmm, this seems to be already the case?!: > > open(): > > 1607 » » » » if shadowExpire == '1' or (shadowExpire < > > int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or > > self._is_windows_disabled())): > > 1608 » » » » » self.__add_disabled('posix') > > I would have expected something like this: > _is_kerberos_disabled() -> self._add_disabled('kerberos')? > _is_windows_disbaled() -> self._add_disabled('windows')? Well, this is already done, too: 1587 » » » » » » if acctFlags['D'] == 1: 1588 » » » » » » » self.__add_disabled('windows') 1602 » » » » if kdcflags == '254': 1603 » » » » » self.__add_disabled('kerberos')
*** This bug has been marked as a duplicate of bug 39817 ***