Bug 54317 – Setting a user account to locked in UDM still allows OpenLDAP bind with that user

Bug 54317 - Setting a user account to locked in UDM still allows OpenLDAP bind with that user


Summary:	Setting a user account to locked in UDM still allows OpenLDAP bind with that ...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - Users
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-01-10 21:48 CET by Arvid Requate
Modified:	2023-05-02 14:38 CEST (History)
CC List:	4 users (show)

See Also:	54318 54319
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021121421000141
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
bug54317.patch (1.25 KB, patch) 2022-01-10 21:50 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2022-01-10 21:48:49 CET

Setting a user account to locked in UDM still allows OpenLDAP bind with that user:

root@primary20:~# udm users/user create \
                      --set username=test1 \
                      --set password=univention \
                      --set lastname=name1
WARNING: The object is not going to be created underneath of its default containers.
Object created: uid=test1,dc=ucs50domain,dc=net

root@primary20:~# udm users/user modify \
                      --dn uid=test1,dc=ucs50domain,dc=net \
                      --set locked=1
Object modified: uid=test1,dc=ucs50domain,dc=net

root@primary20:~# ldapsearch -LLL \
                    -D uid=test1,dc=ucs50domain,dc=net \
                    -w univention \
                    uid=test1 1.1
dn: uid=test1,dc=ucs50domain,dc=net

Comment 1 Arvid Requate

2022-01-10 21:49:10 CET

Same in UCS 4.4-8

Comment 2 Arvid Requate

2022-01-10 21:50:41 CET

Created attachment 10900 [details]
bug54317.patch

Patch proposal, worked on my UCS 4.4-8 VM.

Comment 3 Arvid Requate

2022-01-10 22:29:30 CET

As explained in Bug #54319, fixing this alone in the way proposed in Comment 2 is not a good idea, in case a customer activates the ppolicy overlay and configures an automatic lockout policy there. In that situation a ppolicy triggered Lockout would also cause a udm lockout (by virtue of our 70_ppolicy_udm_lock.quilt for openldap), but there would be no suitable unlock mechanism.

So either we need to fix Bug #34319 too (which would be good for UDM/UMC UX reasons) or we could say: Ok, If you want OpenLDAP lockout, then you need to configure a lockout policy using the ppolicy overlay and we would need to adjust UDM to set a ppolicy related attribute like "pwdAccountLockedTime". But that requires the overlay to be loaded, which currently is optional.

Comment 4 Stefan Gohmann

2022-12-19 07:58:36 CET

I set the "Waiting Support" flag because of Ticket #2021121421000141.

Comment 5 Arvid Requate

2022-12-20 13:43:58 CET

Bug 55501 shows how ppolicy currently initiates the lockout in udm.

Comment 6 Stefan Gohmann

2023-04-27 18:58:55 CEST

Do we have the state of locked somewhere documented?

Currently it is not possible to set it via UMC, right?

Comment 7 Florian Best

2023-04-27 19:05:42 CEST

(In reply to Stefan Gohmann from comment #6)
> Do we have the state of locked somewhere documented?
For Developers or for Administrators?
http://docs.software-univention.de/manual/5.0/de/user-management/user-lockout.html

> Currently it is not possible to set it via UMC, right?

No, it's only possible to unlock via UMC.
The only tool in UCS which (is allowed to) sets locked=1 is /usr/share/univention-directory-manager-tools/lock_expired_accounts.
AD sets the LDAP attributes directly.

Comment 8 Arvid Requate

2023-05-02 14:38:05 CEST

> Currently it is not possible to set it via UMC, right?

Reminder: UCS with Samba/AD tries to implement concepts compatible with Active Directory
and in AD Administrators cannot lockout accounts by means of a click. In AD Administrators
can only

A. define a lockout policy
B. unlock locked accounts

That said, we should communicate this more clearly.


Maybe we can implement more that AD offers, but that requires

1. technical possibility in Samba to set "lockoutTime" to a non-zero value via LDAP
   (currently possible in Samba but not in MS AD)
2. An explicit decision to do this and to maintain this feature.