Bug 785875

Summary: [RFE] honor eDirectory account lockout
Product: Red Hat Enterprise Linux 7 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED WONTFIX QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, prc
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-09 13:51:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gallagher 2012-01-30 20:14:14 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/673

This is similar to #672 but about using the Novell NDS/eDirectory fields instead of the NIS ones.

Relevant ones are:

loginDisabled: boolean

loginExpirationTime: Unix timestamp (UTC)

loginAllowedTimeMap: binary blob

The last one is a bit magical and indicates when during a day an account is allowed to log in. Some details here:

http://developer.novell.com/documentation/ndslib/schm_enu/data/sdk1588.html

Might be overkill supporting that one and the first two are probably more essential.
Comment 3 Jenny Severance 2013-03-13 18:38:05 UTC 
please add steps to reproduce and verify with RHDS or openLDAP
Comment 4 Jakub Hrozek 2013-03-19 09:54:18 UTC 
Veifying the loginDisabled and loginExpiration time should be easy, they are well documented and as far as LDAP goes they are just strings. 

In both cases, you can either extend the schema to really contain the new attributes or, which may be simpler, use another attribute (say, gecos, or description) and simply set an override on the config option, like this:

ldap_user_nds_login_disabled = gecos

the above would fetch the loginDisabled data from the gecos attribute.

The loginDisabled attribute is just a string that contains a boolean true/false value. So when you set it to "true", access should be denied. In the logs you should see messages from sdap_account_expired_nds().

The loginExpirationTime is a date-and-time field (UTC) representing when will be the account expired, If you're past this date, you shouldn't be allowed to login.
The format is YYYYMMDDHHMMSS, for instance 20130319194530 would mean that a user can only login until 2013-Mar-19 19:45:30.

As stated in the opening ticket, the loginAllowedTimeMap is harder and actually supporting it might be a nice-to-have. The attribute is a binary one. It is a bitmap that consists of 42 bytes (336 bits) representing 30-minutes intervals in a week. A good start would be to make sure that all zeroes always deny access and all ones always allow access. You should use base64 -d to encode the binary blob into base64 format and then load the attribute with a double-colon (loginAllowedTimeMap:: blob).

If either of these attributes is missing completely, access is granted.