Bug 55501 - Failure through ppolicy for udm_lock_account action on replica node
Summary: Failure through ppolicy for udm_lock_account action on replica node
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: General
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.0-2-errata
Assignee: Arvid Requate
QA Contact: Juan Pedro Torres
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-17 07:28 CET by Mirac Erdemiroglu
Modified: 2023-01-13 15:50 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022120521000674
Bug group (optional): Usability
Customer ID: 44145
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Mirac Erdemiroglu univentionstaff 2022-12-17 07:34:33 CET 
Research from Arvid

When I look into ~/svn/patches/openldap/5.0-0-0-ucs/2.5.11+dfsg-1-errata5.0-1/70_ppolicy_udm_lock.quilt then I think that in case of a lockout event OpenLDAP does thje following which can be simulated manually on the console of the UCS@school replica:
HOME=/ python3 -m univention.lib.account lock \
  --dn "<uid=username,...>" \
  --lock-time "$(date --utc '+%Y%m%d%H%M%SZ')"
Comment 3 Mirac Erdemiroglu univentionstaff 2022-12-17 08:54:03 CET 
Important if necessary: also with central users (here cn=users,dc=mydomain,dc=intranet) the lock is not possible
Comment 4 Arvid Requate univentionstaff 2022-12-30 13:09:40 CET 
bf7110388c | Allow replicas to lockout user accounts
af3730c92f | Advisory
043eb771ea | debian/changelog
ea97d40310 | Advisory update

Package: univention-ldap
Version: 16.0.7-25A~5.0.0.202212301255
Branch: ucs_5.0-0
Scope: errata5.0-2
Comment 5 Arvid Requate univentionstaff 2023-01-02 18:24:03 CET 
d9bef5db1b | restart slapd during update (univention-ldap-acl-master.postinst)
dabc0d446d | Advisory update

Package: univention-ldap
Version: 16.0.7-25A~5.0.0.202301021816
Branch: ucs_5.0-0
Scope: errata5.0-2
Comment 6 Juan Pedro Torres univentionstaff 2023-01-03 10:33:17 CET 
Verified:
* Package update
* Functional test
* Advisory Ok