Univention Bugzilla – Bug 54318
Lockout in Samba/AD doesn't trigger lockout in OpenLDAP
Last modified: 2023-01-05 08:30:47 CET
Debugging Ticket#2021121421000141 showed that a lockout triggered in Samba/AD only gets synchronized to OpenLDAP/UDM partly. UDM shows the account as locked, but ldapsearch with simplebind continues to work. I researched into this, and found: 1. The S4-Connector doesn't "lock" (i.e. reversibly invalidate) the userPassword when Synchronizing from Samba/AD to OpenLDAP. It only causes UDM to show "locked" 2. The UDM "locked" status doesn't depend on the state of the userPassword 3. An UDM lock/unlock doesn't invalidate/re-activate the user password (Bug #54317) 4. The OpenLDAP patch 70_ppolicy_udm_lock.quilt only locks in UDM but doesn't check the lock status
Created attachment 10901 [details] bug54318.patch The patch fixes point 1 of the list above and worked on my UCS 4.4-8 test VM.
I set the "Waiting Support" flag because of Ticket #2021121421000141.