Bug 24185 – Account deactivation is set wrong when setting Account expiry date

Bug 24185 - Account deactivation is set wrong when setting Account expiry date


Summary:	Account deactivation is set wrong when setting Account expiry date

Status:	RESOLVED DUPLICATE of bug 39817

Product:	UCS
Classification:	Unclassified
Component:	UMC - Users
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	45467
	Show dependency tree / graph

Reported:	2011-10-25 13:35 CEST by Felix Botner
Modified:	2018-04-13 13:30 CEST (History)
CC List:	4 users (show)

See Also:	36747 42913 45842
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2011-10-25 13:35:59 CEST

Ich habe einen Benutzer für den die Konto-Deaktivierung auf "Alle deaktiviert" steht (disabled: all). Wenn ich nun ein (vorhandenes) Kontoablauf-Datum ändere, wird die Konto-Deaktivierung automatisch auf "Windows and Kerberos disabled" gesetzt (disabled: windows_kerberos).

Comment 1 Philipp Hahn

2014-11-17 14:09:54 CET

Still applies to UCS-4.0.
Might be relevant for Bug #36747.

Comment 2 Florian Best

2017-02-18 04:49:17 CET

*** Bug 33394 has been marked as a duplicate of this bug. ***

Comment 3 Stefan Gohmann

2017-06-16 20:40:44 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 4 Florian Best

2017-08-30 10:54:11 CEST


*** This bug has been marked as a duplicate of bug 45287 ***

Comment 5 Florian Best

2017-09-26 18:21:01 CEST

Not a exact duplicate but similar.

Comment 6 Florian Best

2017-09-26 18:26:17 CEST

root@master:~# udm users/user create --set username=bug24185 --set lastname=foo --set password=univention                                                                                                                                                                        
Object created: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 1.ldif
root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all --set userexpiry=2017-10-10                                                                                                                                                         
Object modified: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 2.ldif                                                                                                                                                                                                 
root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry                                                                                                                                                                   
  disabled: windows_kerberos
  userexpiry: 2017-10-10
root@master:~# ldiff 1.ldif 2.ldif 
dn: uid=bug24185,dc=school,dc=local
+shadowExpire: 17449
+sambaKickoffTime: 1507586400
+sambaAcctFlags: [UD         ]
-sambaAcctFlags: [U          ]
+krb5ValidEnd: 20171010000000Z
+krb5KDCFlags: 254
-krb5KDCFlags: 126
root@master:~# udm users/user modify --dn uid=bug24185,dc=school,dc=local --set disabled=all
Object modified: uid=bug24185,dc=school,dc=local
root@master:~# univention-ldapsearch -b uid=bug24185,dc=school,dc=local > 3.ldif                                                                                                                                                                                                 
root@master:~# udm users/user list --position uid=bug24185,dc=school,dc=local | grep -e disabled -e userexpiry                                                                                                                                                         
  disabled: all
  userexpiry: 2017-10-10
root@master:~# ldiff 2.ldif 3.ldif 
dn: uid=bug24185,dc=school,dc=local
-shadowExpire: 17449
+shadowExpire: 1

Comment 7 Florian Best

2017-09-26 19:06:29 CEST

The code is the following:
https://git.knut.univention.de/univention/ucs/blob/4.2-2/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py#L2290

If userexpiry is set then shadowExpire is set to that date. This is imho also correct behavior.

Maybe we could instead check if the set date in shadowExpire is in the past and append posix to "disabled" in that case. Then the displaying in UMC is at least correct if the user account is already expired.

Comment 8 Florian Best

2017-09-26 19:08:05 CEST

(In reply to Florian Best from comment #7)
> Maybe we could instead check if the set date in shadowExpire is in the past
> and append posix to "disabled" in that case. Then the displaying in UMC is
> at least correct if the user account is already expired.
Hmm, this seems to be already the case?!:
open():
1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire < int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or self._is_windows_disabled())):
1608 »   »   »   »   »   self.__add_disabled('posix')

Comment 9 Philipp Hahn

2017-09-27 08:47:43 CEST

(In reply to Florian Best from comment #8)
> Hmm, this seems to be already the case?!:
> open():
> 1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire <
> int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or
> self._is_windows_disabled())):
> 1608 »   »   »   »   »   self.__add_disabled('posix')

I would have expected something like this:
_is_kerberos_disabled() -> self._add_disabled('kerberos')?
_is_windows_disbaled() -> self._add_disabled('windows')?

(In reply to Florian Best from comment #7)
> Maybe we could instead check if the set date in shadowExpire is in the past
> and append posix to "disabled" in that case.

I would name it "expired" if now() > shadowExpire, as that makes it clearer, that the account expired (automatically) through the set expiry date, rather then being disabled manually by the admin .

Comment 10 Florian Best

2017-10-06 11:29:07 CEST

(In reply to Philipp Hahn from comment #9)
> (In reply to Florian Best from comment #8)
> > Hmm, this seems to be already the case?!:
> > open():
> > 1607 »   »   »   »   if shadowExpire == '1' or (shadowExpire <
> > int(time.time() / 3600 / 24) and (self._is_kerberos_disabled() or
> > self._is_windows_disabled())):
> > 1608 »   »   »   »   »   self.__add_disabled('posix')
> 
> I would have expected something like this:
> _is_kerberos_disabled() -> self._add_disabled('kerberos')?
> _is_windows_disbaled() -> self._add_disabled('windows')?
Well, this is already done, too:
  1587 »   »   »   »   »   »   if acctFlags['D'] == 1:
  1588 »   »   »   »   »   »   »   self.__add_disabled('windows')

  1602 »   »   »   »   if kdcflags == '254':
  1603 »   »   »   »   »   self.__add_disabled('kerberos')

Comment 11 Florian Best

2018-01-31 15:16:06 CET


*** This bug has been marked as a duplicate of bug 39817 ***