Bug 1206309

Summary: winsync sets AccountUserControl in AD to 544
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: nhosoi, nkinder, rmeggins, sramling
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.4.0-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 11:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2015-03-26 18:14:13 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47723

Hi,

We notice that when a user is synchronized from 389 Directory to Active Directory the AccountUserControl value was 544 (mean NORMAL ACCOUNT + PASSWD_NOTREQD http://support.microsoft.com/kb/305144/en-us).

This isn't secure (allow user to set empty password). Letting the administrator set a default value for this attribute in synchronization parameters would be nice.

Thanks.
Comment 2 Viktor Ashirov 2015-08-31 21:22:03 UTC 
Hi Noriko,

>This isn't secure (allow user to set empty password). Letting the administrator set a default value for this attribute in synchronization parameters would be nice.

In the patch I didn't find any info about default value that can be set by admin.
As far as I understand, we now fallback to 512 if password is set and 544 if not, correct?

Thanks!
Comment 3 Noriko Hosoi 2015-08-31 22:26:07 UTC 
(In reply to Viktor Ashirov from comment #2)
> Hi Noriko,
> 
> >This isn't secure (allow user to set empty password). Letting the administrator set a default value for this attribute in synchronization parameters would be nice.
> 
> In the patch I didn't find any info about default value that can be set by
> admin.
> As far as I understand, we now fallback to 512 if password is set and 544 if
> not, correct?

Yes, that's correct.  Thank you for understanding the cryptic description...
Comment 4 Sankar Ramalingam 2015-09-18 16:35:36 UTC 
For password not set user... the userAccountControl set to 544.

[root@dhcp35-196 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2012r2.adrelm.com -p 636 -D "cn=SyncManager,cn=Users,dc=adrelm,dc=com" -w Secret123 -b "cn=dsdsdsX,ou=adpasssync,dc=adrelm,dc=com" objectClass=* "userAccountControl"
version: 1
dn: CN=dsdsdsX,OU=adpasssync,DC=adrelm,DC=com
userAccountControl: 544


For the password set to user, the userAccountControl set to 512:

[root@dhcp35-196 MMR_WINSYNC]# /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-M1/cert8.db -h win2012r2.adrelm.com -p 636 -D "cn=SyncManager,cn=Users,dc=adrelm,dc=com" -w Secret123 -b "cn=dsdsds9,ou=adpasssync,dc=adrelm,dc=com" objectClass=* "userAccountControl"
version: 1
dn: CN=dsdsds9,OU=adpasssync,DC=adrelm,DC=com
userAccountControl: 512


Hence, marking the bug as Verified.

Build tested:
[root@dhcp35-196 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.3.4.0-15.el7.x86_64
389-ds-base-1.3.4.0-15.el7.x86_64
Comment 5 errata-xmlrpc 2015-11-19 11:43:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html