First Last Prev Next    This bug is not in your last search results.
Bug 54318 - Lockout in Samba/AD doesn't trigger lockout in OpenLDAP
Lockout in Samba/AD doesn't trigger lockout in OpenLDAP
Status: NEW
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-10 21:53 CET by Arvid Requate
Modified: 2023-01-05 08:30 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021121421000141
Bug group (optional):
Max CVSS v3 score:

Attachments
bug54318.patch (2.60 KB, patch)
2022-01-10 21:54 CET, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2022-01-10 21:53:11 CET 
Debugging Ticket#2021121421000141 showed that a lockout triggered in Samba/AD only gets synchronized to OpenLDAP/UDM partly. UDM shows the account as locked, but ldapsearch with simplebind continues to work.

I researched into this, and found:

1. The S4-Connector doesn't "lock" (i.e. reversibly invalidate) the userPassword when Synchronizing from Samba/AD to OpenLDAP. It only causes UDM to show "locked"

2. The UDM "locked" status doesn't depend on the state of the userPassword

3. An UDM lock/unlock doesn't invalidate/re-activate the user password (Bug #54317)

4. The OpenLDAP patch 70_ppolicy_udm_lock.quilt only locks in UDM but doesn't check the lock status
Comment 1 Arvid Requate univentionstaff 2022-01-10 21:54:38 CET 
Created attachment 10901 [details]
bug54318.patch

The patch fixes point 1 of the list above and worked on my UCS 4.4-8 test VM.
Comment 2 Stefan Gohmann univentionstaff 2022-12-19 07:58:24 CET 
I set the "Waiting Support" flag because of Ticket #2021121421000141.
First Last Prev Next    This bug is not in your last search results.