Univention Bugzilla – Bug 56816
AD-Connector doesn't handle accountExpires == 0 properly, reject and traceback in log
Last modified: 2023-11-10 21:09:20 CET
Test scenario ad-connector/autotest-241-adsync-w2k19-english-two-forest-children.cfg shows a reject for connector2 when it tries to set the Administrator account of the second forest child domain to "never expires": ==================================================================== 10.11.2023 17:41:41.909 LDAP (INFO ): get_object: got object: cn=administrator,cn=users,DC=subb241,DC=autotest241win,DC=test 10.11.2023 17:41:41.910 LDAP (INFO ): Disabled state: 0 10.11.2023 17:41:41.911 LDAP (ALL ): disable_user_from_ucs: modlist: [(2, 'accountExpires', [b'9223372036854775807'])] 10.11.2023 17:41:41.914 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector2/ad/1699620682.561881 10.11.2023 17:41:41.914 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 809, in __sync_file_from_ucs if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, object_old): File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 2284, in sync_from_ucs post_con_modify_function(self, property_type, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 121, in disable_user_from_ucs return connector.disable_user_from_ucs(key, object) File "/usr/lib/python3/dist-packages/univention/connector/ad/__init__.py", line 1713, in disable_user_from_ucs self.lo_ad.lo.modify_s(object['dn'], modlist) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 629, in modify_s return self.modify_ext_s(dn,modlist,None,None) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1253, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 602, in modify_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.OTHER: {'desc': 'Other (e.g., implementation specific) error', 'info': '0000055B: SysErr: DSID-031A1242, problem 22 (Invalid argument), data 0\n' } ==================================================================== I guess we miss the case "accountExpires: 0" mentioned at the end of: https://learn.microsoft.com/en-us/windows/win32/adschema/a-accountexpires When I changed modlist.append((ldap.MOD_REPLACE, 'accountExpires', [b'9223372036854775807'])) into modlist.append((ldap.MOD_REPLACE, 'accountExpires', [b'0'])) the reject disappears. Also, from that documentation I understand that "0" also corresponds to "never expires" and would not have needed to be modified at all in this case.
> The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.