Univention Bugzilla – Bug 38060
k5pwd overlay doesn't work if account expires
Last modified: 2015-03-25 16:38:29 CET
Needs to be fixed for UCS 4.0 as well. +++ This bug was initially created as a clone of Bug #31429 +++ If the last password change occured by Keberos/Samba4/Windows (userPassword={K5KEY}), ldap-bind against slapd fails if the account has an expiry-Date: ---------------------------------------------------- root@dcm:~# univention-ldapsearch uid=accounttest2 userpassword -LLL|ldapsearch-wrapper|ldapsearch-decode64 dn: uid=accounttest2,cn=users,dc=s4sites,dc=local userPassword: {K5KEY} root@dcm:~# udm users/user modify --dn uid=accounttest2,cn=users,dc=s4sites,dc=local --set userexpiry=2014-05-31 Object modified: uid=accounttest2,cn=users,dc=s4sites,dc=local root@dcm:~# ldapsearch -x -h dcm -p 7389 -D "uid=accounttest2,cn=users,dc=s4sites,dc=local" -w Herbert.123 uid=accounttest2 uid ldap_bind: Invalid credentials (49) root@dcm:~# udm users/user modify --dn uid=accounttest2,cn=users,dc=s4sites,dc=local --set userexpiry= Object modified: uid=accounttest2,cn=users,dc=s4sites,dc=local root@dcm:~# ldapsearch -x -h dcm -p 7389 -D "uid=accounttest2,cn=users,dc=s4sites,dc=local" -w Herbert.123 uid=accounttest2 uid -LLL dn: uid=accounttest2,cn=users,dc=s4sites,dc=local uid: accounttest2 ----------------------------------------------------
YAML: dev/branches/ucs-4.0/ucs-4.0-1/doc/errata/staging/2015-03-17-openldap.yaml Fix: r14490 + r14491 Test case: 10_ldap/05K5KEY_userexpiry (r59098)
-> univention-ldapsearch uid=test1 -LLL userPassword|ldapsearch-decode64 dn: uid=test1,cn=users,dc=four,dc=test userPassword: {K5KEY} -> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w Univention.99 uid=test1 dn dn: uid=test1,cn=users,dc=four,dc=test OK - password expired -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set userexpiry=2014-05-31 -> univention-ldapsearch -D uid=test1,cn=users,dc=four,dc=test -w Univention.99 uid=test1 dn ldap_bind: Invalid credentials (49) OK - password no yet expired -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set userexpiry=2017-05-31 -> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w Univention.99 uid=test1 dn dn: uid=test1,cn=users,dc=four,dc=test OK - no password expiry -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set userexpiry= -> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w Univention.99 uid=test1 dn dn: uid=test1,cn=users,dc=four,dc=test OK - 10_ldap/05K5KEY_userexpiry OK - 2015-03-17-openldap.yaml
<http://errata.univention.de/ucs/4.0/130.html>