Univention Bugzilla – Bug 46354
S4 Connector does not sync Samba/AD account lockout to LDAP ppolicy lockout
Last modified: 2019-02-27 18:05:46 CET
The S4 Connector doesn't sync Samba/AD account lockout to LDAP ppolicy lockout. The attached patch would make this happen automatically once the ppolicy lockout detection is implemented in the users/user module (Bug #46351) +++ This bug was initially created as a clone of Bug #32014 +++
Created attachment 9403 [details] s4connector_sync_to_ucs_account_lockout_to_ppolicy_lockout.patch
Created attachment 9404 [details] s4connector_sync_to_ucs_account_lockout_to_univention_lib_account_lock.patch This alternative patch would use univention.lib.account.lock, which would be more generic and leave the details up to udm users/user. The drawback is, that this converts the badPasswordTime from a resolution of 100 nanosecond to udm "lockedTime", which only offers a resolution of seconds. As a consequence the synchronization takes two to three turns instead of just one. Not so good.
To obtain a consistent lockout throughout Samba/AD and OpenLDAP, the ppolicy settings need to match the samba-tool domain passwordsettings. That's similar to UDM passsword policies. FYI: Please also note that the http://www.zytrax.com/books/ldap/ch6/ppolicy.html overlay also allows per user lockout settings by adding a pwdPolicySubentry attribute to the user object. That's not active in UCS by default.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.