The changes in the S4-Connector should also be implemented in the AD-Connector. With the exception, that it's not possible to sync a locked=True state into Active Directory. +++ This bug was initially created as a clone of Bug #32014 +++ The S4 Connector currently does not sync the account locking state. Due to the differing locking semantics in Samba3/OpenLDAP and Samba4/AD it might not be trivial to do this: * The lockoutTime in Samba4/AD attribute specifies when the account was locked (100ns format, local daylightsaving time). The account is then locked for a period specified by the attribute lockoutDuration. After that period the user may log in again. The flag is then reset only after successfull login. * This attribute currently has no clear counterpart in the Samba3/OpenLDAP schema (badPasswordTime might be somewhat close in meaning). * The connector can only detect and synchronize a Samba4/AD account unlock to UDM once the user logged in successfully in Samba4/AD, since only this causes a write operation to the lockoutTime attribute in Samba4/AD. * AFAIK the lockoutDuration in Samba4/AD can be specified not only via the domain object but also via GPOs. Some additional details: ** A short test showed that Samba4 allows to set lockoutTime to any value (research for Ticket#2012051121003316 showed that native AD only allowed reset to "0"). ** Unlock is also possible via userAccountControl: https://git.samba.org/?p=samba.git;a=commitdiff;h=7f760ed84b4b34937b3a65577f971cc95f452e0f ** In Samba3/OpenLDAP the lockout is connected to the attribute sambaAcctFlags. This flag is a bit similar to the calculated Samba4/AD attribute msDS-User-Account-Control-Computed, but it can also be written to. Summarizing: * UCS->S4 sync of UDM Samba account lock is hard: could work if the UDM writes the lockoutTime to some OpenLDAP attribute and the S4 Connector synchronizes it. But then, this requires lockoutDuration to be consistent for all objects in UDM an Samba4. * UCS->S4 sync of UDM Samba account unlock is easy: the S4 Connector synchronizes an UDM locking change to to Samba4, preferably via userAccountControl. * S4->UCS sync of Samba4 account lock is possible: if lockoutTime != 0 the S4 Connector would need to check msDS-User-Account-Control-Computed. If that is true it should lock the UDM Samba account. It should probably sync the lockoutTime too for the next point. * S4->UCS sync of Samba4 account unlock: maybe easy: If the lockTimeout is synchroinized, the S4 Connector can discover that the lockTimeout was reset to zero in Samba4. If it is not, then it can discover that lockTimeout==0 while the UDM Samba account is currently locked. +++ This bug was initially created as a clone of Bug #31587 +++
The account locking state is now synchronized from AD to UCS. And from UCS to AD, the locked=False state is synchronized. AD doesn't offer APIs to sync locked=True. The S4-Connector code has been unified with this variant, which does the changes via UDM instead of duplicating the LDAP logic. univention-s4-connector.yaml 67f7455d609e | chore(ad-connector): update advisory univention-s4-connector (16.3.1) 67f7455d609e | chore(ad-connector): update advisory univention-s4-connector (16.3.0) f3d131866a7f | feat(s4-connector): Unify locked password sync with AD-Connector univention-ad-connector.yaml 67f7455d609e | chore(ad-connector): update advisory univention-ad-connector (16.4.5) 67f7455d609e | chore(ad-connector): update advisory univention-ad-connector (16.4.4) e21ab0c38602 | feat(ad-connector): Sync locked user account. ucs-test (12.3.24) be7473cddb05 | test(s4-connector): Add tests for lockout time sync d48012f4f862 | test(ad-connector): Add tests for lockout time sync bef332645501 | feat(testing): Added utils for samba-tools and smbclient.
OK - advisories OK - jenkins tests OK - univention-ad-connector OK - univention-s4-connector
<https://errata.software-univention.de/#/?erratum=5.2x276> <https://errata.software-univention.de/#/?erratum=5.2x277>