Bug 38060

Summary: k5pwd overlay doesn't work if account expires
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: LDAPAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: birkefeld, gohmann, petersen, requate, steuwer, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.0-1-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 31429    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2015-03-17 12:22:17 CET 
Needs to be fixed for UCS 4.0 as well.

+++ This bug was initially created as a clone of Bug #31429 +++

If the last password change occured by Keberos/Samba4/Windows (userPassword={K5KEY}), ldap-bind against slapd fails if the account has an expiry-Date:

----------------------------------------------------
root@dcm:~# univention-ldapsearch uid=accounttest2 userpassword -LLL|ldapsearch-wrapper|ldapsearch-decode64
dn: uid=accounttest2,cn=users,dc=s4sites,dc=local
userPassword: {K5KEY}

root@dcm:~# udm users/user modify --dn uid=accounttest2,cn=users,dc=s4sites,dc=local --set userexpiry=2014-05-31
Object modified: uid=accounttest2,cn=users,dc=s4sites,dc=local

root@dcm:~# ldapsearch -x -h dcm -p 7389 -D "uid=accounttest2,cn=users,dc=s4sites,dc=local" -w Herbert.123 uid=accounttest2 uid
ldap_bind: Invalid credentials (49)

root@dcm:~# udm users/user modify --dn uid=accounttest2,cn=users,dc=s4sites,dc=local --set userexpiry=
Object modified: uid=accounttest2,cn=users,dc=s4sites,dc=local

root@dcm:~# ldapsearch -x -h dcm -p 7389 -D "uid=accounttest2,cn=users,dc=s4sites,dc=local" -w Herbert.123 uid=accounttest2 uid -LLL
dn: uid=accounttest2,cn=users,dc=s4sites,dc=local
uid: accounttest2
----------------------------------------------------
Comment 1 Stefan Gohmann univentionstaff 2015-03-17 15:00:21 CET 
YAML:  dev/branches/ucs-4.0/ucs-4.0-1/doc/errata/staging/2015-03-17-openldap.yaml

Fix: r14490 + r14491

Test case: 10_ldap/05K5KEY_userexpiry (r59098)
Comment 2 Felix Botner univentionstaff 2015-03-23 10:57:16 CET 
-> univention-ldapsearch uid=test1 -LLL userPassword|ldapsearch-decode64 
dn: uid=test1,cn=users,dc=four,dc=test
userPassword: {K5KEY}

-> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w Univention.99 uid=test1 dn
dn: uid=test1,cn=users,dc=four,dc=test

OK - password expired
     -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set    
        userexpiry=2014-05-31
     -> univention-ldapsearch -D uid=test1,cn=users,dc=four,dc=test -w 
        Univention.99 uid=test1 dn
     ldap_bind: Invalid credentials (49)

OK - password no yet expired
     -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set 
        userexpiry=2017-05-31
     -> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w 
        Univention.99 uid=test1 dn
     dn: uid=test1,cn=users,dc=four,dc=test

OK - no password expiry
     -> udm users/user modify --dn uid=test1,cn=users,dc=four,dc=test --set 
        userexpiry=
     -> univention-ldapsearch -LLL -D uid=test1,cn=users,dc=four,dc=test -w 
        Univention.99 uid=test1 dn
     dn: uid=test1,cn=users,dc=four,dc=test

OK - 10_ldap/05K5KEY_userexpiry

OK - 2015-03-17-openldap.yaml
Comment 3 Janek Walkenhorst univentionstaff 2015-03-25 16:38:29 CET 
<http://errata.univention.de/ucs/4.0/130.html>