Bug 35329

Summary:	Allow comparison of shadowExpire in nis.schema
Product:	UCS	Reporter:	Sönke Schwardt-Krummrich <schwardt>
Component:	LDAP	Assignee:	Sönke Schwardt-Krummrich <schwardt>
Status:	CLOSED FIXED	QA Contact:	Felix Botner <botner>
Severity:	normal
Priority:	P5	CC:	gohmann, jmm, uf
Version:	UCS 3.2
Target Milestone:	UCS 3.2-2-errata
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=39119
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	35088, 35900

Description Sönke Schwardt-Krummrich

2014-07-09 21:09:13 CEST

For fixing Bug #35088 the LDAP server has to be able to compare/sort the numeric values of shadowExpire. To achieve this, the LDAP schema nis.schema in the package openldap has to be patched:

 attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
+       ORDERING integerOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


+++ This bug was initially created as a clone of Bug #35088 +++

Currently a LDAP bind is possible if a user account has expired/reached the expiration date. This also affects 3rd party products which rely on LDAP bind as authentication method.

Possible solution:
A cronjob is looking for expired user accounts (*not* expired user passwords!) and disables at least the POSIX/LDAP login for these accounts.

Comment 1 Sönke Schwardt-Krummrich

2014-07-09 21:27:35 CEST

Patch for package openldap has been updated (new bug number); package openldap has been rebuilt; YAML file 2014-06-10-openldap.yaml has been updated.
→ FIXED

Comment 2 Sönke Schwardt-Krummrich

2014-07-10 08:18:29 CEST

@QA: please verify that you are able to search for accounts that expired within a specific time range:

univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=16261))'

16250 ==> number of days since 1970-01-01

Comment 3 Felix Botner

2014-07-10 15:00:39 CEST

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire=16269))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16269))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16200))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=18261))' dn shadowExpire
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch  shadowExpire=* shadowExpire dn -LLL
dn: uid=Guest,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=krbtgt,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=17000))' dn shadowExpire -LLL
dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=16250)(shadowExpire<=19000))' dn shadowExpire -LLL
dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

-> univention-ldapsearch '(&(objectClass=posixAccount)(shadowExpire>=1)(shadowExpire<=19000))' dn shadowExpire -LLL
dn: uid=Guest,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=krbtgt,cn=users,dc=w2k12,dc=test
shadowExpire: 1

dn: uid=test4,dc=w2k12,dc=test
shadowExpire: 18000

dn: uid=test5,cn=users,dc=w2k12,dc=test
shadowExpire: 16269

OK - YAML

Comment 4 Moritz Muehlenhoff

2014-07-14 10:49:54 CEST

http://errata.univention.de/ucs/3.2/147.html