Univention Bugzilla – Bug 35900
Allow comparison of shadowExpire in nis.schema
Last modified: 2023-03-25 06:42:55 CET
Please check if a test case is possible. +++ This bug was initially created as a clone of Bug #35329 +++ For fixing Bug #35088 the LDAP server has to be able to compare/sort the numeric values of shadowExpire. To achieve this, the LDAP schema nis.schema in the package openldap has to be patched: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +++ This bug was initially created as a clone of Bug #35088 +++ Currently a LDAP bind is possible if a user account has expired/reached the expiration date. This also affects 3rd party products which rely on LDAP bind as authentication method. Possible solution: A cronjob is looking for expired user accounts (*not* expired user passwords!) and disables at least the POSIX/LDAP login for these accounts.
A new script with the name '10_ldap/03_shadowExpire_in_nis_schema' is created to: - Check the settings in nis.schema file. - Test the authentication. - Test ldap-search and order/filter for shadowExpire. Test script fails if any of the above fails.
Script '10_ldap/03_shadowExpire_in_nis_schema' is modified to remove the authentication test as it is not part of this bug. Tested on UCS-4.0 & UCS-3.2.
The test case failed in Jenkins: ----------------------------------------------------------------------------- *** BEGIN *** ['/usr/bin/python', '03_shadowExpire_in_nis_schema'] *** *** 10_ldap/03_shadowExpire_in_nis_schema *** Allow comparison of shadowExpire in nis.schema *** Creating users/user object with {'username': 'ffi3ojs4vr', 'firstname': 'i5sfispilb', 'lastname': 'mqjbos9j9u', 'userexpiry': '2014-10-07', 'position': 'cn=users,dc=autotest092,dc=local', 'password': 'mrd8qu8w2b'} Waiting for replication: OK: replication complete (nid=417 lid=417) Done: replication complete. Creating users/user object with {'username': 'vqs59uuzhe', 'firstname': 'odiyo5jv9k', 'lastname': 'xakghioylz', 'userexpiry': '2014-10-09', 'position': 'cn=users,dc=autotest092,dc=local', 'password': '4tmkuyrk5l'} Waiting for replication: OK: replication complete (nid=428 lid=428) Done: replication complete. Creating users/user object with {'username': 'c9az7cppww', 'firstname': 'gd5ki5yukh', 'lastname': 'b9pamcv55a', 'userexpiry': '2014-10-11', 'position': 'cn=users,dc=autotest092,dc=local', 'password': '3z0pi5w41t'} Waiting for replication: OK: replication complete (nid=439 lid=439) Done: replication complete. Searching LDAP: username=ffi3ojs4vr, expirydate=16350 ### FAIL ### LDAP is not able to sort Objects with filter: (shadowExpire>=-2)(shadowExpire<=32702)) ### ### Cleanup after exception: <type 'exceptions.SystemExit'> 1 Performing UCSTestUDM cleanup... UCSTestUDM cleanup done *** END *** 1 *** ----------------------------------------------------------------------------- Is it a bug in the test script or in the schema? http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=backup/lastCompletedBuild/testReport/10_ldap/03_shadowExpire_in_nis_schema/test/
There were a mistake in the printed message. The script is modified to print clear messages with more info to be able to detect the error source. Changelog entry is added and package rebuilt for both UCS-3.2.3 & UCS-4.0.
(In reply to Stefan Gohmann from comment #3) > The test case failed in Jenkins: > > ----------------------------------------------------------------------------- > *** BEGIN *** ['/usr/bin/python', '03_shadowExpire_in_nis_schema'] *** > *** 10_ldap/03_shadowExpire_in_nis_schema *** Allow comparison of > shadowExpire in nis.schema *** > Creating users/user object with {'username': 'ffi3ojs4vr', 'firstname': > 'i5sfispilb', 'lastname': 'mqjbos9j9u', 'userexpiry': '2014-10-07', > 'position': 'cn=users,dc=autotest092,dc=local', 'password': 'mrd8qu8w2b'} > Waiting for replication: > OK: replication complete (nid=417 lid=417) > Done: replication complete. > Creating users/user object with {'username': 'vqs59uuzhe', 'firstname': > 'odiyo5jv9k', 'lastname': 'xakghioylz', 'userexpiry': '2014-10-09', > 'position': 'cn=users,dc=autotest092,dc=local', 'password': '4tmkuyrk5l'} > Waiting for replication: > OK: replication complete (nid=428 lid=428) > Done: replication complete. > Creating users/user object with {'username': 'c9az7cppww', 'firstname': > 'gd5ki5yukh', 'lastname': 'b9pamcv55a', 'userexpiry': '2014-10-11', > 'position': 'cn=users,dc=autotest092,dc=local', 'password': '3z0pi5w41t'} > Waiting for replication: > OK: replication complete (nid=439 lid=439) > Done: replication complete. > Searching LDAP: > username=ffi3ojs4vr, expirydate=16350 > ### FAIL ### > LDAP is not able to sort Objects with filter: > (shadowExpire>=-2)(shadowExpire<=32702)) > ### ### > Cleanup after exception: <type 'exceptions.SystemExit'> 1 > Performing UCSTestUDM cleanup... > UCSTestUDM cleanup done > *** END *** 1 *** > ----------------------------------------------------------------------------- > > Is it a bug in the test script or in the schema? > > http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/ > Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=backup/lastCompletedBuild/ > testReport/10_ldap/03_shadowExpire_in_nis_schema/test/ The real problem was in using the current local time for objects creation/comparison which causes the script to fail if it was executed at some point of the day. Now the script uses UTC time.
The test cases failed in jenkins last night. Maybe you can have a look? http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/60/testReport/10_ldap/03_shadowExpire_in_nis_schema/test/ -------------------------------------------------------------------------------- nis.schema contains: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Creating users/user object with {'username': 'lucqpb04yb', 'firstname': 'esyu3x2inw', 'lastname': 'qjqq6zufhq', 'userexpiry': '2014-10-13', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'qftsiwwl9h'} Waiting for replication: OK: replication complete (nid=990 lid=990) Done: replication complete. Creating users/user object with {'username': 'uj9qexu7jm', 'firstname': 'm4r1640vyg', 'lastname': 'mesogbazep', 'userexpiry': '2014-10-15', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'wgdq4mfzdm'} Waiting for replication: OK: replication complete (nid=1001 lid=1001) Done: replication complete. Creating users/user object with {'username': 'ilob0mer6y', 'firstname': 'wu2e8bjuor', 'lastname': 'g94hgtxers', 'userexpiry': '2014-10-17', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'onyoe13cxx'} Waiting for replication: OK: replication complete (nid=1012 lid=1012) Done: replication complete. Searching LDAP filter=(&(objectClass=posixAccount)(shadowExpire>=16355)(shadowExpire<=16357)) Should be found: [(username, expirydate)] = [('lucqpb04yb', '16356')] Found in LDAP: [(username, expirydate)] = [('lucqpb04yb', '16357')] ### FAIL ### LDAP is not able to sort Objects with filter: (shadowExpire>=16355)(shadowExpire<=16357) ### ### Cleanup after exception: <type 'exceptions.SystemExit'> 1 Performing UCSTestUDM cleanup... UCSTestUDM cleanup done --------------------------------------------------------------------------------
(In reply to Stefan Gohmann from comment #6) > The test cases failed in jenkins last night. Maybe you can have a look? > > http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/ > Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/60/testReport/10_ldap/ > 03_shadowExpire_in_nis_schema/test/ > > > ----------------------------------------------------------------------------- > --- > nis.schema contains: > attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' > EQUALITY integerMatch > ORDERING integerOrderingMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) > Creating users/user object with {'username': 'lucqpb04yb', 'firstname': > 'esyu3x2inw', 'lastname': 'qjqq6zufhq', 'userexpiry': '2014-10-13', > 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'qftsiwwl9h'} > Waiting for replication: > OK: replication complete (nid=990 lid=990) > Done: replication complete. > Creating users/user object with {'username': 'uj9qexu7jm', 'firstname': > 'm4r1640vyg', 'lastname': 'mesogbazep', 'userexpiry': '2014-10-15', > 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'wgdq4mfzdm'} > Waiting for replication: > OK: replication complete (nid=1001 lid=1001) > Done: replication complete. > Creating users/user object with {'username': 'ilob0mer6y', 'firstname': > 'wu2e8bjuor', 'lastname': 'g94hgtxers', 'userexpiry': '2014-10-17', > 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'onyoe13cxx'} > Waiting for replication: > OK: replication complete (nid=1012 lid=1012) > Done: replication complete. > > Searching LDAP > filter=(&(objectClass=posixAccount)(shadowExpire>=16355)(shadowExpire<=16357) > ) > Should be found: [(username, expirydate)] = [('lucqpb04yb', '16356')] > Found in LDAP: [(username, expirydate)] = [('lucqpb04yb', '16357')] > ### FAIL ### > LDAP is not able to sort Objects with filter: > (shadowExpire>=16355)(shadowExpire<=16357) > ### ### > Cleanup after exception: <type 'exceptions.SystemExit'> 1 > Performing UCSTestUDM cleanup... > UCSTestUDM cleanup done > ----------------------------------------------------------------------------- > --- This is a new discovered Bug #36210. This script fails only if the machine executing has time zone with a negative offset.
(In reply to Ammar Najjar from comment #7) > This is a new discovered Bug #36210. > This script fails only if the machine executing has time zone with a > negative offset. But the test case should test if the attribute is comparable. That test should be independent from the time zone.
(In reply to Stefan Gohmann from comment #8) > (In reply to Ammar Najjar from comment #7) > > This is a new discovered Bug #36210. > > This script fails only if the machine executing has time zone with a > > negative offset. > > But the test case should test if the attribute is comparable. That test > should be independent from the time zone. Script modified to use whatever value it finds in LDAP for the expiry date, instead of making sure that it is the same value used to set the expiry date. change log entry added, and package built for both ucs-3.2-3, ucs-4.0.
For this bug is no separate QA needed.