Univention Bugzilla – Bug 54317
Setting a user account to locked in UDM still allows OpenLDAP bind with that user
Last modified: 2023-05-02 14:38:05 CEST
Setting a user account to locked in UDM still allows OpenLDAP bind with that user: root@primary20:~# udm users/user create \ --set username=test1 \ --set password=univention \ --set lastname=name1 WARNING: The object is not going to be created underneath of its default containers. Object created: uid=test1,dc=ucs50domain,dc=net root@primary20:~# udm users/user modify \ --dn uid=test1,dc=ucs50domain,dc=net \ --set locked=1 Object modified: uid=test1,dc=ucs50domain,dc=net root@primary20:~# ldapsearch -LLL \ -D uid=test1,dc=ucs50domain,dc=net \ -w univention \ uid=test1 1.1 dn: uid=test1,dc=ucs50domain,dc=net
Same in UCS 4.4-8
Created attachment 10900 [details] bug54317.patch Patch proposal, worked on my UCS 4.4-8 VM.
As explained in Bug #54319, fixing this alone in the way proposed in Comment 2 is not a good idea, in case a customer activates the ppolicy overlay and configures an automatic lockout policy there. In that situation a ppolicy triggered Lockout would also cause a udm lockout (by virtue of our 70_ppolicy_udm_lock.quilt for openldap), but there would be no suitable unlock mechanism. So either we need to fix Bug #34319 too (which would be good for UDM/UMC UX reasons) or we could say: Ok, If you want OpenLDAP lockout, then you need to configure a lockout policy using the ppolicy overlay and we would need to adjust UDM to set a ppolicy related attribute like "pwdAccountLockedTime". But that requires the overlay to be loaded, which currently is optional.
I set the "Waiting Support" flag because of Ticket #2021121421000141.
Bug 55501 shows how ppolicy currently initiates the lockout in udm.
Do we have the state of locked somewhere documented? Currently it is not possible to set it via UMC, right?
(In reply to Stefan Gohmann from comment #6) > Do we have the state of locked somewhere documented? For Developers or for Administrators? http://docs.software-univention.de/manual/5.0/de/user-management/user-lockout.html > Currently it is not possible to set it via UMC, right? No, it's only possible to unlock via UMC. The only tool in UCS which (is allowed to) sets locked=1 is /usr/share/univention-directory-manager-tools/lock_expired_accounts. AD sets the LDAP attributes directly.
> Currently it is not possible to set it via UMC, right? Reminder: UCS with Samba/AD tries to implement concepts compatible with Active Directory and in AD Administrators cannot lockout accounts by means of a click. In AD Administrators can only A. define a lockout policy B. unlock locked accounts That said, we should communicate this more clearly. Maybe we can implement more that AD offers, but that requires 1. technical possibility in Samba to set "lockoutTime" to a non-zero value via LDAP (currently possible in Samba but not in MS AD) 2. An explicit decision to do this and to maintain this feature.