Description of problem: BZ1059550 introduces better info about various login failures. One can see event in audit_log for expired password but not for expired account. expired passwd: | | oVirt | -1 | 30 | | f | 1359 | 00000000-0000-0000-0000-000000000000 | vdcexppwd.LAB.ENG.BRQ.REDHAT.COM | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-03-19 12:00:16.533+01 | USER_ACCOUNT_PASSWOR D_EXPIRED | 1101 | 2 | User vdcexppwd.LAB.ENG.BRQ.REDHAT.COM cannot login, as the user account password has expir ed. Please contact the system administrator. nothing like this for expired account. mperina@ checked the source code and there's nothing specific about expired account. Version-Release number of selected component (if applicable): rhevm-backend-3.4.0-0.5.master.el6ev.noarch How reproducible: 100% Steps to Reproduce: 1. have an AD added into RHEVM env 2. have an AD user account with expired account 3. try to login with the user Actual results: nothing in audit_log table Expected results: add same as for expired passwd Additional info:
Alon - is there any standard on expired accounts ? or is it AD only ?
this is already handled in the new ldap implementation as a message to user. not sure why it is interesting in the audit context, even at the new accounting interface I planned to map this into PRINCIPAL_LOGIN_LOCKED as it is not important why.
yair, make sure you map account locked into: PRINCIPAL_LOGIN_LOCKED and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. so we actually need to go over all acct mapping
(In reply to Alon Bar-Lev from comment #3) > yair, make sure you map account locked into: > > PRINCIPAL_LOGIN_LOCKED > > and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. > > so we actually need to go over all acct mapping Alon, shouldn't account expired be differentiated from account locked? We have the differentiation at Authn.java already, so why did you mention account locked if the bug is about account expired?
(In reply to Yair Zaslavsky from comment #4) > (In reply to Alon Bar-Lev from comment #3) > > yair, make sure you map account locked into: > > > > PRINCIPAL_LOGIN_LOCKED > > > > and that PRINCIPAL_LOGIN_CREDENTIALS is only if credentials are incorrect. > > > > so we actually need to go over all acct mapping > > Alon, shouldn't account expired be differentiated from account locked? > We have the differentiation at Authn.java already, so why did you mention > account locked if the bug is about account expired? as far as I remember the mapping between authn result and audit log is incomplete.
$ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D Administrator.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin" dn: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redh at,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: vdcexpadmin givenName: vdcexpadmin distinguishedName: CN=vdcexpadmin,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng ,DC=brq,DC=redhat,DC=com ... accountExpires: 125912412000000000 .... 125912412000000000 = Sat, 01 Jan 2000 23:00:00 GMT $ ldapsearch -LLL -x -h ad-w2k12r2.rhev.lab.eng.brq.redhat.com -p 389 -D vdcexpadmin.lab.eng.brq.redhat.com -W -b 'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com' "cn=vdcexpadmin" ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 701, v2580 701 means account expired when I log in as user vdcexpadmin into user portal this is in audit log: engine=# select * from audit_log order by log_time DESC; audit_log_id | user_id | user_name | vm_id | vm_name | vm_template_id | vm_template_name | vds_id | vds_name | log_time | log_type_name | log_type | severity | message | processed | storage_pool_id | storage_pool_name | storage_domain_id | storage_domain_name | vds_group_id | vds_group_name | correl ation_id | job_id | quota_id | quota_name | gluster_volume_id | gluster_volume_name | origin | custom_event_id | event_flood_in_sec | custom_data | deleted | call_stack --------------+--------------------------------------+----------------------+--------------------------------------+---------+--------------------------------------+------------------+--------------------------------------+--------------+----------------------------+---- -------------------------------------------------------------+----------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------+-----------+--------------------------------------+-------------------+--------------------------------------+---------------------+--------------------------------------+----------------+------------------ ---------------------+--------------------------------------+----------+------------+--------------------------------------+---------------------+--------+-----------------+--------------------+-------------+---------+------------ 1301 | 00000000-0000-0000-0000-000000000000 | vdcexpadmin | 00000000-0000-0000-0000-000000000000 | | | | | | 2014-10-22 11:07:28.892+02 | USE R_VDC_LOGIN_FAILED | 114 | 2 | User vdcexpadmin failed to log in. | f | | | | | 00000000-0000-0000-0000-000000000000 | | | | | | 00000000-0000-0000-0000-000000000000 | | oVirt | -1 | 30 | | f |
Alon, is the 701 error code mapped correctly at the generic ldap provider?
At login I get: Cannot Login. User Account has expired, Please contact your system administrator. In database I get: $ PGPASSWORD="engine" psql -U engine -d engine -c "select audit_log_id, message from audit_log order by log_time DESC;" | head -n 10 audit_log_id | message --------------+----------------------------------------------------------------------------------- 69 | User vdcexpadmin failed to log in. 68 | The account for vdcexpadmin got expired. Please contact the system administrator.
Oh sorry I tested with it old package. Now correct: engine=# select audit_log_id, message from audit_log order by log_time DESC LIMIT 2; audit_log_id | message --------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9 | User vdcexpadmin failed to log in. 8 | The account for vdcexpadmin got expired. Please contact the system administrator.