Univention Bugzilla – Bug 42913
Import only disables user but does not lock them
Last modified: 2017-10-16 21:35:41 CEST
There is currently an access right problem with the UCS@school import (import_user AND ucs-school-user-import): Via the CSV file a user account can get deactivated (disabled=all) but the LDAP server does not respect the corresponding LDAP attributes, so a LDAP simple bind still works with deactivated user accounts. A user account is completely disabled only, if all authentication methods are also disabled (locked=all). There is a small hotfix import pyhook, but this should a) become default within the UCS@school library and b) it should be possible to reactivate the old behaviour via UCR The lib should set "locked" also to "all" resp. "none" when "disabled" is set to "all" resp. "none".
@Florian: I heard that 'locked' might get deprecated. Ist this certain? What about the LDAP bind problem?
(In reply to Daniel Tröder from comment #1) > @Florian: I heard that 'locked' might get deprecated. > Ist this certain? This might be implemented in UCS 4.2 → Bug #39817 > What about the LDAP bind problem? This was solved in UCS 4.2 via Bug #36215: A ldap bind doesn't work anymore if the user account is expired (and that overlay module is enabled).
Why don't we set pwdChangeNextLogin=1 instead of locked=all?
(In reply to Florian Best from comment #3) > Why don't we set pwdChangeNextLogin=1 instead of locked=all? This would not disable the user account in e.g. slapd. The affected school customer uses a cloud service that uses LDAP bind to verify passwords of cloud users. But users with disabled=all are still able to log into the cloud service because the LDAP server still accepts the user credentials.
See Bug #36215.
* Verify that in UCS 4.2 disabled == locked is the default. * Modify ucs-test-ucsschool/90_ucsschool/216_import-users_delete_variants to check with an LDAP-bind, that disabled users cannot bind anymore.
(In reply to Daniel Tröder from comment #6) > * Verify that in UCS 4.2 disabled == locked is the default. Manually tested: When disabled='all', LDAP bind is not possible. > * Modify ucs-test-ucsschool/90_ucsschool/216_import-users_delete_variants to > check with an LDAP-bind, that disabled users cannot bind anymore. Done: 640a28c..5c10b6b The LDAP bind test part is currently deactivated (error message only), because Bug #45287 (Bug #24185) must be fixed first.
What is the reason why we are trying to disable the user NOW (disabled=all) and also in the FUTURE (userexpiry=$future_date). This is an unsupported concept in UCS, see also Bug #24185. What is the concrete customer scenario for this? The customer are disabling users at the import time, to remove them at the userexpiry time? Where is this described? Which customers do this? We should instead set locked=all and userexpiry=$future_date and don't touch disabled (can we do this API change, because there might be systems out there which imported users with the old variant?). Setting locked=all will cause that the change does not work UCS in Active Directory domains, because the user can't be locked in AD. See also: Bug #39817.
There are two ways to deactivate users with the new [legacy] import: 1) Create or modify a user, when in the import configuration activate_new_users=False. 2) Delete a user, when in the import configuration user_deletion:delete=False & user_deletion:expiration!=0. Comment#7 and comment#8 refer to case 2).
(In reply to Daniel Tröder from comment #9) > There are two ways to deactivate users with the new [legacy] import: > > 1) Create or modify a user, when in the import configuration > activate_new_users=False. This bug is about this setting. > 2) Delete a user, when in the import configuration > user_deletion:delete=False & user_deletion:expiration!=0. > > Comment#7 and comment#8 refer to case 2). The user_deletion settings are not part of this bug.
As mentioned in comment#7 an LDAP bind is not possible if disabled=='all'. The import with the configuration activate_new_users=False does that. ./scripts/ucs-school-user-import --verbose --conffile configs/ucs-school-testuser-import.json --infile test_users_1_staff.csv --set activate_new_users:default=false 2017-10-02 09:50:49 INFO cmdline.main:114 Configuration is: {u'activate_new_users': {u'default': False}, [..] } 2017-10-02 09:50:54 INFO user_import.create_and_modify_users:133 Adding ImportStaff(name='hinrich.benk2', school='SchuleEins', dn='uid=hinrich.benk2,cn=mitarbeiter,cn=users,ou=SchuleEins,dc=uni,dc=dtr', old_dn=None) (source_uid:TESTID record_uid:Hinrich.Benkert) attributes={'record_uid': u'Hinrich.Benkert', 'disabled': 'all', 'objectType': 'users/user', 'old_user': None, 'display_name': 'Hinrich Benkert', 'source_uid': u'TESTID', 'type_name': 'Staff', 'in_hook': False, 'udm_properties': {u'phone': [u'+72-198-337984'], 'overridePWLength': '1', 'overridePWHistory': '1', u'description': u'A staff.'}, 'type': 'importStaff', 'email': 'hinrich.benkert@uni.dtr', '$dn$': 'uid=hinrich.benk2,cn=mitarbeiter,cn=users,ou=SchuleEins,dc=uni,dc=dtr', 'firstname': 'Hinrich', 'lastname': 'Benkert', 'entry_count': 2L, 'schools': ['SchuleEins'], 'password': 'Z)8oV4L6(w7VvHr', 'school': 'SchuleEins', 'name': 'hinrich.benk2', 'roles': ['staff'], 'school_classes': {}, 'input_data': ['SchuleEins', 'staff', 'Hinrich', 'Benkert', '', 'A staff.', '+72-198-337984', ''], 'birthday': None, 'action': 'A'} udm_properties={u'phone': [u'+72-198-337984'], 'overridePWLength': '1', 'overridePWHistory': '1', u'description': u'A staff.'}... ^^^ attributes={..., 'disabled': 'all', ...} 2017-10-02 09:50:54 INFO user_import.log_stats:399 Created ImportStaff: 1 2017-10-02 09:50:54 INFO user_import.log_stats:401 ['hinrich.benk2'] [..] # udm 'users/user' 'list' '--filter' 'uid=hinrich.benk2' | egrep 'disabled|locked|userexpiry' disabled: all locked: none userexpiry: None # ldapsearch -LLL -D uid=hinrich.benk2,cn=mitarbeiter,cn=users,ou=SchuleEins,dc=uni,dc=dtr -x -W 'uid=hinrich.benk2' uid Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: account expired
It was decided to treat these as unrelated bugs.
a9534c4f: added a ucs-test to verify that newly imported, deactivated users cannot LDAP bind: 90_ucsschool/222_import-users_new_users_deactivated ucs-test-ucsschool 4.0.4-30
OK: test case runs successfully OK: test case fails with ldap/shadowbind=false ucr set ldap/shadowbind=false && service slapd restart ./222_import-users_new_users_deactivated -f ### FAIL ### Deactivated user can bind to LDAP server. OK: rest is done via Bug #45467
UCS@school 4.2 v4 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v4-de.html If this error occurs again, please clone this bug.