Univention Bugzilla – Bug 35329
Allow comparison of shadowExpire in nis.schema
Last modified: 2016-09-05 09:46:46 CEST
For fixing Bug #35088 the LDAP server has to be able to compare/sort the numeric values of shadowExpire. To achieve this, the LDAP schema nis.schema in the package openldap has to be patched: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +++ This bug was initially created as a clone of Bug #35088 +++ Currently a LDAP bind is possible if a user account has expired/reached the expiration date. This also affects 3rd party products which rely on LDAP bind as authentication method. Possible solution: A cronjob is looking for expired user accounts (*not* expired user passwords!) and disables at least the POSIX/LDAP login for these accounts.
Patch for package openldap has been updated (new bug number); package openldap has been rebuilt; YAML file 2014-06-10-openldap.yaml has been updated. → FIXED
@QA: please verify that you are able to search for accounts that expired within a specific time range: univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=16261))' 16250 ==> number of days since 1970-01-01
-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire=16269))' dn shadowExpire dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16269))' dn shadowExpire dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16200))' dn shadowExpire dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=18261))' dn shadowExpire dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch shadowExpire=* shadowExpire dn -LLL dn: uid=Guest,cn=users,dc=w2k12,dc=test shadowExpire: 1 dn: uid=krbtgt,cn=users,dc=w2k12,dc=test shadowExpire: 1 dn: uid=test4,dc=w2k12,dc=test shadowExpire: 18000 dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=17000))' dn shadowExpire -LLL dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=19000))' dn shadowExpire -LLL dn: uid=test4,dc=w2k12,dc=test shadowExpire: 18000 dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 -> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=1)(shadowExpire<=19000))' dn shadowExpire -LLL dn: uid=Guest,cn=users,dc=w2k12,dc=test shadowExpire: 1 dn: uid=krbtgt,cn=users,dc=w2k12,dc=test shadowExpire: 1 dn: uid=test4,dc=w2k12,dc=test shadowExpire: 18000 dn: uid=test5,cn=users,dc=w2k12,dc=test shadowExpire: 16269 OK - YAML
http://errata.univention.de/ucs/3.2/147.html