Bug 47876 - maxPwdAge is rejected even when the value is in the bounds
Summary: maxPwdAge is rejected even when the value is in the bounds
Status: REOPENED
Alias: None
Product: UCS
Classification: Unclassified
Component: S4 Connector
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: Samba maintainers
QA Contact: Samba maintainers
URL: https://bepasty.knut.univention.de/uV...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-27 13:07 CEST by Nico Stöckigt
Modified: 2025-05-27 11:53 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018072521000467, 2025032621000146, 2025052221000113
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
bug47876.patch (515 bytes, patch)
2018-10-01 12:33 CEST, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2018-09-27 13:07:56 CEST 
When setting 'pwdMaxAge' back to '0' the internal value is '-9223372036854775808'. That value than is synced to UCS/OpenLDAP but the S4 connector rejects the change.

==================================================
27.09.2018 12:20:43,19 LDAP        (ERROR  ): InvalidSyntax: Maximum password age: Value out of bounds (0 - 86313600 seconds) (dc=domain,dc=tld)
==================================================

The issue is reproducible - see my testing environment 10.200.42.10 (master)

My system was: 4.3-2 errata237
Customers System was:  4.3-1
Comment 1 Arvid Requate univentionstaff 2018-10-01 12:33:25 CEST 
Created attachment 9686 [details]
bug47876.patch
Comment 2 Ingo Steuwer univentionstaff 2021-05-14 15:42:02 CEST 
This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 3 Christina Scheinig univentionstaff 2025-03-27 11:32:57 CET 
Happened again

Connector-s4.log shows:
27.03.2025 10:25:20.322 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:25:20.328 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:25:20.330 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')
27.03.2025 10:26:15.665 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:26:15.671 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:26:15.672 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')
27.03.2025 10:27:11.034 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=domain,DC=internal'
27.03.2025 10:27:11.039 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=domain,dc=internal'
27.03.2025 10:27:11.040 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=domain,dc=internal')

Impact: a new created user could not be moved in an other container
Comment 4 Christina Scheinig univentionstaff 2025-03-28 14:07:28 CET 
univention-s4search maxPwdAge=* 1.1 maxPwdAge
# record 1
dn: DC=domain,DC=internal
maxPwdAge: -9223372036854775808

----------------

 udm policies/pwhistory list 

DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=domain,dc=internal
  expiryInterval: None
  ldapFilter: None
  length: 3
  name: default-settings
  pwLength: 8
  pwQualityCheck: None

DN: cn=Passwort_10_Zeichen,cn=policies,dc=domain,dc=internal
  expiryInterval: 730
  ldapFilter: None
  length: 1
  name: Passwort_10_Zeichen
  pwLength: 10
  pwQualityCheck: TRUE

---------------------
udm settings/sambadomain list

DN: sambaDomainName=SEP,cn=samba,dc=domain,dc=internal
  NextGroupRid: 1000
  NextRid: None
  NextUserRid: 1000
  SID: S-1-5-21-2070111880-1463812749-1768392224
  badLockoutAttempts: None
  disconnectTime: None
  domainPasswordComplex: 1
  domainPasswordStoreCleartext: 0
  domainPwdProperties: 1
  lockoutDuration: None
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  name: SEP
  passwordHistory: 0
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None

To fix this
udm settings/sambadomain modify --dn "sambaDomainName=$(ucr get windows/domain),cn=samba,$(ucr get ldap/base)"   --set maxPasswordAge=1

udm settings/sambadomain modify --dn "sambaDomainName=$(ucr get windows/domain),cn=samba,$(ucr get ldap/base)"   --set maxPasswordAge=0
Comment 5 Mirac Erdemiroglu univentionstaff 2025-05-27 11:53:02 CEST 
Another customer affected 2025052221000113

27.05.2025 10:46:01.907 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=uni,DC=local'
27.05.2025 10:46:01.910 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=uni,dc=local'
27.05.2025 10:46:01.912 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=uni,dc=local')
27.05.2025 10:46:56.981 LDAP        (PROCESS): sync AD > UCS: Resync rejected dn: 'DC=uni,DC=local'
27.05.2025 10:46:56.990 LDAP        (PROCESS): sync AD > UCS: [  container_dc] [    modify] 'dc=uni,dc=local'
27.05.2025 10:46:56.991 LDAP        (ERROR  ): InvalidSyntax: Invalid syntax: Maximum password age: Value out of bounds (0 - 86313600 seconds). ('dc=uni,dc=local')
27.05.2025 10:46:58.207 MAIN        (------ ): DEBUG_INIT