Bug 48880
This probably happens when you have an inconsistent disabled state, i.e. different things for kerberos, samba, posix. If not, it would be a bug. Can you attach the ldif of the user? Created attachment 9908 [details] user6_deactivated:false.ldif > If not, it would be a bug. Yeah, that's kind of the point of the communication here :-) > Can you attach the ldif of the user? See attached ldif. I just upened the user, Account section and used the date picker to set the "Account expiry date" to the 20th of February. My VM was at this time: root@master10:~# date Do 28. Feb 09:25:40 CET 2019 Okay, you have:
shadowExpire: 17947
Which is the timestamp: 17947 * 3600 * 24 = 1550620800 = Wednesday, February 20, 2019 12:00:00 AM
def unmapPosixDisabled(oldattr):
try:
shadowExpire = int(oldattr['shadowExpire'][0])
except (KeyError, ValueError):
return False
return shadowExpire == 1 or shadowExpire < int(time.time() / 3600 / 24)
Looks like "<" should be ">" ?!
(In reply to Florian Best from comment #3) > Looks like "<" should be ">" ?! Uhm, no. shadowExpire specifies the date since when the account is deactivated. So setting a expiration date in the past should also set: sambaAcctFlags = D krb5KDCFlags |= 1<<7 userPassword = !userPassword If you agree, here is a sketch for a patch:
diff --git a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
index 14f4c3ff7a..7cf25eca93 100644
--- a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
+++ b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
@@ -1905,6 +1905,15 @@ def _ldap_pre_ready(self):
if self['disabled'] == '1':
self['locked'] = '0' # Samba/AD behavior
+ if self.hasChanged('userexpiry'):
+ if self['userexpiry']:
+ if not self.userexpiry_in_future(self['userexpiry']): # past or today
+ self['disabled'] = '1'
+ else:
+ self['disabled'] = '0'
+ elif self['disabled'] == '1':
+ pass # TODO: should we do something here?
+
And we should/could migrate broken users via a migration script?
|
After setting deactivation to a date in the past in the UMC users/user module, a strange notification is shown every time I open the user object again. ======================================================================== Notification The following empty properties were set to default values in the form. These values will be applied when saving. Account - Deactivation - Account is deactivated: false ======================================================================== Hitting save doesn't change anything.