Univention Bugzilla – Full Text Bug Listing |
Description
Arvid Requate
2019-03-06 15:02:39 CET
This probably happens when you have an inconsistent disabled state, i.e. different things for kerberos, samba, posix. If not, it would be a bug. Can you attach the ldif of the user? Created attachment 9908 [details] user6_deactivated:false.ldif > If not, it would be a bug. Yeah, that's kind of the point of the communication here :-) > Can you attach the ldif of the user? See attached ldif. I just upened the user, Account section and used the date picker to set the "Account expiry date" to the 20th of February. My VM was at this time: root@master10:~# date Do 28. Feb 09:25:40 CET 2019 Okay, you have: shadowExpire: 17947 Which is the timestamp: 17947 * 3600 * 24 = 1550620800 = Wednesday, February 20, 2019 12:00:00 AM def unmapPosixDisabled(oldattr): try: shadowExpire = int(oldattr['shadowExpire'][0]) except (KeyError, ValueError): return False return shadowExpire == 1 or shadowExpire < int(time.time() / 3600 / 24) Looks like "<" should be ">" ?! (In reply to Florian Best from comment #3) > Looks like "<" should be ">" ?! Uhm, no. shadowExpire specifies the date since when the account is deactivated. So setting a expiration date in the past should also set: sambaAcctFlags = D krb5KDCFlags |= 1<<7 userPassword = !userPassword If you agree, here is a sketch for a patch: diff --git a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py index 14f4c3ff7a..7cf25eca93 100644 --- a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py +++ b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py @@ -1905,6 +1905,15 @@ def _ldap_pre_ready(self): if self['disabled'] == '1': self['locked'] = '0' # Samba/AD behavior + if self.hasChanged('userexpiry'): + if self['userexpiry']: + if not self.userexpiry_in_future(self['userexpiry']): # past or today + self['disabled'] = '1' + else: + self['disabled'] = '0' + elif self['disabled'] == '1': + pass # TODO: should we do something here? + And we should/could migrate broken users via a migration script? |