Bug 35329 - Allow comparison of shadowExpire in nis.schema
Allow comparison of shadowExpire in nis.schema
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Sönke Schwardt-Krummrich
Felix Botner
:
Depends on:
Blocks: 35088 35900
  Show dependency treegraph
 
Reported: 2014-07-09 21:09 CEST by Sönke Schwardt-Krummrich
Modified: 2016-09-05 09:46 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2014-07-09 21:09:13 CEST
For fixing Bug #35088 the LDAP server has to be able to compare/sort the numeric values of shadowExpire. To achieve this, the LDAP schema nis.schema in the package openldap has to be patched:

 attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
+       ORDERING integerOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


+++ This bug was initially created as a clone of Bug #35088 +++

Currently a LDAP bind is possible if a user account has expired/reached the expiration date. This also affects 3rd party products which rely on LDAP bind as authentication method.

Possible solution:
A cronjob is looking for expired user accounts (*not* expired user passwords!) and disables at least the POSIX/LDAP login for these accounts.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2014-07-09 21:27:35 CEST
Patch for package openldap has been updated (new bug number); package openldap has been rebuilt; YAML file 2014-06-10-openldap.yaml has been updated.
→ FIXED
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2014-07-10 08:18:29 CEST
@QA: please verify that you are able to search for accounts that expired within a specific time range:

univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=16261))'

16250 ==> number of days since 1970-01-01
Comment 3 Felix Botner univentionstaff 2014-07-10 15:00:39 CEST
-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire=16269))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16269))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16200))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=18261))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch  shadowExpire=* shadowExpire dn -LLL
dn: uid=Guest,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=krbtgt,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=17000))' dn shadowExpire -LLL
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=19000))' dn shadowExpire -LLL
dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=1)(shadowExpire<=19000))' dn shadowExpire -LLL
dn: uid=Guest,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=krbtgt,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

OK - YAML
Comment 4 Moritz Muehlenhoff univentionstaff 2014-07-14 10:49:54 CEST
http://errata.univention.de/ucs/3.2/147.html