Bug 35900 - Allow comparison of shadowExpire in nis.schema
Allow comparison of shadowExpire in nis.schema
Status: CLOSED FIXED
Product: UCS Test
Classification: Unclassified
Component: LDAP
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Ammar Najjar
:
Depends on: 36210 35329
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-11 14:48 CEST by Stefan Gohmann
Modified: 2023-03-25 06:42 CET (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-09-11 14:48:55 CEST
Please check if a test case is possible.

+++ This bug was initially created as a clone of Bug #35329 +++

For fixing Bug #35088 the LDAP server has to be able to compare/sort the numeric values of shadowExpire. To achieve this, the LDAP schema nis.schema in the package openldap has to be patched:

 attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
+       ORDERING integerOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


+++ This bug was initially created as a clone of Bug #35088 +++

Currently a LDAP bind is possible if a user account has expired/reached the expiration date. This also affects 3rd party products which rely on LDAP bind as authentication method.

Possible solution:
A cronjob is looking for expired user accounts (*not* expired user passwords!) and disables at least the POSIX/LDAP login for these accounts.
Comment 1 Ammar Najjar univentionstaff 2014-10-08 13:06:08 CEST
A new script with the name '10_ldap/03_shadowExpire_in_nis_schema' is created to:

 - Check the settings in nis.schema file.
 - Test the authentication.
 - Test ldap-search and order/filter for shadowExpire.

Test script fails if any of the above fails.
Comment 2 Ammar Najjar univentionstaff 2014-10-09 11:59:41 CEST
Script '10_ldap/03_shadowExpire_in_nis_schema' is modified to remove the authentication test as it is not part of this bug.

Tested on UCS-4.0 & UCS-3.2.
Comment 3 Stefan Gohmann univentionstaff 2014-10-10 06:42:58 CEST
The test case failed in Jenkins:

-----------------------------------------------------------------------------
*** BEGIN *** ['/usr/bin/python', '03_shadowExpire_in_nis_schema'] ***
*** 10_ldap/03_shadowExpire_in_nis_schema *** Allow comparison of shadowExpire in nis.schema ***
Creating users/user object with {'username': 'ffi3ojs4vr', 'firstname': 'i5sfispilb', 'lastname': 'mqjbos9j9u', 'userexpiry': '2014-10-07', 'position': 'cn=users,dc=autotest092,dc=local', 'password': 'mrd8qu8w2b'}
Waiting for replication:
OK: replication complete (nid=417 lid=417)
Done: replication complete.
Creating users/user object with {'username': 'vqs59uuzhe', 'firstname': 'odiyo5jv9k', 'lastname': 'xakghioylz', 'userexpiry': '2014-10-09', 'position': 'cn=users,dc=autotest092,dc=local', 'password': '4tmkuyrk5l'}
Waiting for replication:
OK: replication complete (nid=428 lid=428)
Done: replication complete.
Creating users/user object with {'username': 'c9az7cppww', 'firstname': 'gd5ki5yukh', 'lastname': 'b9pamcv55a', 'userexpiry': '2014-10-11', 'position': 'cn=users,dc=autotest092,dc=local', 'password': '3z0pi5w41t'}
Waiting for replication:
OK: replication complete (nid=439 lid=439)
Done: replication complete.
Searching LDAP:
username=ffi3ojs4vr, expirydate=16350
### FAIL ###
LDAP is not able to sort Objects with filter: (shadowExpire>=-2)(shadowExpire<=32702))
###      ###
Cleanup after exception: <type 'exceptions.SystemExit'> 1
Performing UCSTestUDM cleanup...
UCSTestUDM cleanup done
*** END *** 1 ***
-----------------------------------------------------------------------------

Is it a bug in the test script or in the schema?

http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=backup/lastCompletedBuild/testReport/10_ldap/03_shadowExpire_in_nis_schema/test/
Comment 4 Ammar Najjar univentionstaff 2014-10-10 10:08:00 CEST
There were a mistake in the printed message.
The script is modified to print clear messages with more info to be able to detect the error source.

Changelog entry is added and package rebuilt for both UCS-3.2.3 & UCS-4.0.
Comment 5 Ammar Najjar univentionstaff 2014-10-14 10:49:13 CEST
(In reply to Stefan Gohmann from comment #3)
> The test case failed in Jenkins:
> 
> -----------------------------------------------------------------------------
> *** BEGIN *** ['/usr/bin/python', '03_shadowExpire_in_nis_schema'] ***
> *** 10_ldap/03_shadowExpire_in_nis_schema *** Allow comparison of
> shadowExpire in nis.schema ***
> Creating users/user object with {'username': 'ffi3ojs4vr', 'firstname':
> 'i5sfispilb', 'lastname': 'mqjbos9j9u', 'userexpiry': '2014-10-07',
> 'position': 'cn=users,dc=autotest092,dc=local', 'password': 'mrd8qu8w2b'}
> Waiting for replication:
> OK: replication complete (nid=417 lid=417)
> Done: replication complete.
> Creating users/user object with {'username': 'vqs59uuzhe', 'firstname':
> 'odiyo5jv9k', 'lastname': 'xakghioylz', 'userexpiry': '2014-10-09',
> 'position': 'cn=users,dc=autotest092,dc=local', 'password': '4tmkuyrk5l'}
> Waiting for replication:
> OK: replication complete (nid=428 lid=428)
> Done: replication complete.
> Creating users/user object with {'username': 'c9az7cppww', 'firstname':
> 'gd5ki5yukh', 'lastname': 'b9pamcv55a', 'userexpiry': '2014-10-11',
> 'position': 'cn=users,dc=autotest092,dc=local', 'password': '3z0pi5w41t'}
> Waiting for replication:
> OK: replication complete (nid=439 lid=439)
> Done: replication complete.
> Searching LDAP:
> username=ffi3ojs4vr, expirydate=16350
> ### FAIL ###
> LDAP is not able to sort Objects with filter:
> (shadowExpire>=-2)(shadowExpire<=32702))
> ###      ###
> Cleanup after exception: <type 'exceptions.SystemExit'> 1
> Performing UCSTestUDM cleanup...
> UCSTestUDM cleanup done
> *** END *** 1 ***
> -----------------------------------------------------------------------------
> 
> Is it a bug in the test script or in the schema?
> 
> http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/
> Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=backup/lastCompletedBuild/
> testReport/10_ldap/03_shadowExpire_in_nis_schema/test/


The real problem was in using the current local time for objects creation/comparison which causes the script to fail if it was executed at some point of the day. Now the script uses UTC time.
Comment 6 Stefan Gohmann univentionstaff 2014-10-16 06:53:13 CEST
The test cases failed in jenkins last night. Maybe you can have a look?

http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/60/testReport/10_ldap/03_shadowExpire_in_nis_schema/test/


--------------------------------------------------------------------------------
nis.schema contains:
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
	EQUALITY integerMatch
	ORDERING integerOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
Creating users/user object with {'username': 'lucqpb04yb', 'firstname': 'esyu3x2inw', 'lastname': 'qjqq6zufhq', 'userexpiry': '2014-10-13', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'qftsiwwl9h'}
Waiting for replication:
OK: replication complete (nid=990 lid=990)
Done: replication complete.
Creating users/user object with {'username': 'uj9qexu7jm', 'firstname': 'm4r1640vyg', 'lastname': 'mesogbazep', 'userexpiry': '2014-10-15', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'wgdq4mfzdm'}
Waiting for replication:
OK: replication complete (nid=1001 lid=1001)
Done: replication complete.
Creating users/user object with {'username': 'ilob0mer6y', 'firstname': 'wu2e8bjuor', 'lastname': 'g94hgtxers', 'userexpiry': '2014-10-17', 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'onyoe13cxx'}
Waiting for replication:
OK: replication complete (nid=1012 lid=1012)
Done: replication complete.

Searching LDAP filter=(&(objectClass=posixAccount)(shadowExpire>=16355)(shadowExpire<=16357))
Should be found: [(username, expirydate)] = [('lucqpb04yb', '16356')]
Found in LDAP:   [(username, expirydate)] = [('lucqpb04yb', '16357')]
### FAIL ###
LDAP is not able to sort Objects with filter: (shadowExpire>=16355)(shadowExpire<=16357)
###      ###
Cleanup after exception: <type 'exceptions.SystemExit'> 1
Performing UCSTestUDM cleanup...
UCSTestUDM cleanup done
--------------------------------------------------------------------------------
Comment 7 Ammar Najjar univentionstaff 2014-10-16 12:12:12 CEST
(In reply to Stefan Gohmann from comment #6)
> The test cases failed in jenkins last night. Maybe you can have a look?
> 
> http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-3/job/
> Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/60/testReport/10_ldap/
> 03_shadowExpire_in_nis_schema/test/
> 
> 
> -----------------------------------------------------------------------------
> ---
> nis.schema contains:
> attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
> 	EQUALITY integerMatch
> 	ORDERING integerOrderingMatch
> 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> Creating users/user object with {'username': 'lucqpb04yb', 'firstname':
> 'esyu3x2inw', 'lastname': 'qjqq6zufhq', 'userexpiry': '2014-10-13',
> 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'qftsiwwl9h'}
> Waiting for replication:
> OK: replication complete (nid=990 lid=990)
> Done: replication complete.
> Creating users/user object with {'username': 'uj9qexu7jm', 'firstname':
> 'm4r1640vyg', 'lastname': 'mesogbazep', 'userexpiry': '2014-10-15',
> 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'wgdq4mfzdm'}
> Waiting for replication:
> OK: replication complete (nid=1001 lid=1001)
> Done: replication complete.
> Creating users/user object with {'username': 'ilob0mer6y', 'firstname':
> 'wu2e8bjuor', 'lastname': 'g94hgtxers', 'userexpiry': '2014-10-17',
> 'position': 'cn=users,dc=autotest090,dc=local', 'password': 'onyoe13cxx'}
> Waiting for replication:
> OK: replication complete (nid=1012 lid=1012)
> Done: replication complete.
> 
> Searching LDAP
> filter=(&(objectClass=posixAccount)(shadowExpire>=16355)(shadowExpire<=16357)
> )
> Should be found: [(username, expirydate)] = [('lucqpb04yb', '16356')]
> Found in LDAP:   [(username, expirydate)] = [('lucqpb04yb', '16357')]
> ### FAIL ###
> LDAP is not able to sort Objects with filter:
> (shadowExpire>=16355)(shadowExpire<=16357)
> ###      ###
> Cleanup after exception: <type 'exceptions.SystemExit'> 1
> Performing UCSTestUDM cleanup...
> UCSTestUDM cleanup done
> -----------------------------------------------------------------------------
> ---

This is a new discovered Bug #36210.
This script fails only if the machine executing has time zone with a negative offset.
Comment 8 Stefan Gohmann univentionstaff 2014-10-17 06:17:36 CEST
(In reply to Ammar Najjar from comment #7)
> This is a new discovered Bug #36210.
> This script fails only if the machine executing has time zone with a
> negative offset.

But the test case should test if the attribute is comparable. That test should be independent from the time zone.
Comment 9 Ammar Najjar univentionstaff 2014-10-21 09:58:46 CEST
(In reply to Stefan Gohmann from comment #8)
> (In reply to Ammar Najjar from comment #7)
> > This is a new discovered Bug #36210.
> > This script fails only if the machine executing has time zone with a
> > negative offset.
> 
> But the test case should test if the attribute is comparable. That test
> should be independent from the time zone.

Script modified to use whatever value it finds in LDAP for the expiry date,
instead of making sure that it is the same value used to set the expiry
date.

change log entry added, and package built for both ucs-3.2-3, ucs-4.0.
Comment 10 Stefan Gohmann univentionstaff 2016-10-12 07:48:31 CEST
For this bug is no separate QA needed.