1185882 – ns-activate.pl fails to activate account if it was disabled on AD

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1185882 - ns-activate.pl fails to activate account if it was disabled on AD

Summary: ns-activate.pl fails to activate account if it was disabled on AD

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1205796
TreeView+	depends on / blocked

Reported:	2015-01-26 14:26 UTC by Viktor Ashirov
Modified:	2020-09-13 21:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:	389-ds-base-1.3.4.0-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 11:43:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1332	0	None	None	None	2020-09-13 21:19:37 UTC
Red Hat Product Errata	RHBA-2015:2351	0	normal	SHIPPED_LIVE	389-ds-base bug fix and enhancement update	2015-11-19 10:28:44 UTC

Description Viktor Ashirov 2015-01-26 14:26:38 UTC

Description of a problem:
ns-activate.pl fails to activate account if it was disabled on AD.

Version-Release number of selected component (if applicable):
389-ds-base-1.3.3.1-12.el7.x86_64

Steps to Reproduce:
[0] Setup Winsync and enable Posix Winsync plugin
[1] Add test entry
ldapmodify -D "cn=Directory Manager" -w Secret123  -H ldap://localhost:1189 -a << EOF
dn: uid=posixusr0,ou=dswinsync,dc=example,dc=com
objectClass: inetorgperson
objectClass: inetuser
objectclass: ntUser
objectClass: posixAccount
uid: posixusr0
givenName: posixusr0
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/posixusr0
sn: posixusr0
cn: posixusr0
ntUserCreateNewAccount: true
ntUserDomainId: posixusr0
ntUserDeleteAccount: true
userPassword: Secret123
EOF

[2] Disable it on AD
ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2k8.adrelm.com << EOF
dn: CN=posixusr0,OU=adsync,DC=adrelm,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 514
EOF

[3] Enable it on DS using ns-activate.pl
sudo ns-activate.pl -Z M1  -D "cn=Directory Manager" -w Secret123 -I uid=posixusr0,ou=dswinsync,dc=example,dc=com

Actual results:
Entry stays inactivated
uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated (probably directly).

Expected results:
Entry should be activated.

Additional info:
$ ldapsearch -o ldif-wrap=no -LLL -D "cn=Directory Manager" -w Secret123 -H ldap://localhost:1189 -b dc=example,dc=com cn=posixusr0 "(|(objectclass=*)(objectclass=ldapsubentry))" nsAccountLock nsRoleDN
dn: uid=posixusr0,ou=dswinsync,dc=example,dc=com
nsAccountLock: true


ns-activate.pl with debug on: 
 ==> Running ** ns-activate.pl ** activate
 ==> Single user
 ==> Is the entry already locked? ==> 1
 ==> Entry to activate: #uid=posixusr0 , ou=dswinsync , dc=example , dc=com#
 ==> Entry to activate: #uid=posixusr0,ou=dswinsync,dc=example,dc=com#
 ==> 	Suffix from the entry: #uid=posixusr0,ou=dswinsync,dc=example,dc=com#
 ==> 		Nothing found => go up one level in rdn #, ou=dswinsync , dc=example , dc=com#
 ==> 	Suffix from the entry: #,ou=dswinsync,dc=example,dc=com#
 ==> 		Nothing found => go up one level in rdn #ou=dswinsync , dc=example , dc=com#
 ==> 	Suffix from the entry: #ou=dswinsync,dc=example,dc=com#
 ==> 		Nothing found => go up one level in rdn #, dc=example , dc=com#
 ==> 	Suffix from the entry: #,dc=example,dc=com#
 ==> 		Nothing found => go up one level in rdn #dc=example , dc=com#
 ==> 	Suffix from the entry: #dc=example,dc=com#
 ==> 	Suffix from mapping tree: #dc=example,dc=com
#
 ==> Found matching suffix
 ==> 	Suffix from mapping tree: #"dc=example,dc=com"
#
 ==> Found matching suffix
 ==> 	Suffix from mapping tree: ##
 ==> 	-->indirectLock: check if uid=posixusr0,ou=dswinsync,dc=example,dc=com is part of a locked role from base cn=nsdisabledrole,dc=example,dc=com

 ==> 	-- indirectLock loop: current nsroledn cn=nsmanageddisabledrole,dc=example,dc=com of base cn=nsdisabledrole,dc=example,dc=com
 ==> checkScope: check if cn=nsmanageddisabledrole,dc=example,dc=com is below cn=nsdisabledrole,dc=example,dc=com
 ==> removeRdn: entry to split: cn=nsdisabledrole,dc=example,dc=com**cn=nsdisabledrole , dc=example , dc=com
 ==> removeRdn: new DN **dc=example,dc=com**
 ==> checkScope: nested role based:  dc=example,dc=com
 ==> removeRdn: entry to split: cn=nsmanageddisabledrole,dc=example,dc=com**cn=nsmanageddisabledrole , dc=example , dc=com
 ==> removeRdn: new DN **dc=example,dc=com**
 ==> checkScope: current DN to check: dc=example,dc=com
 ==> checkScope: DN match!!!
 ==> checkScope: cn=nsmanageddisabledrole,dc=example,dc=com and cn=nsdisabledrole,dc=example,dc=com are compatible
 ==> 		-->memberOf: ldapsearch -x -LLL -ZZ -p 1189 -h rhel7.brq.redhat.com -D "cn=Directory Manager" -w "Secret123"  -b "uid=posixusr0,ou=dswinsync,dc=example,dc=com" -s base "(|(objectclass=*)(objectclass=ldapsubentry))" nsrole: check if uid=posixusr0,ou=dswinsync,dc=example,dc=com has cn=nsmanageddisabledrole,dc=example,dc=com as nsroledn attribute
 ==> 		<--memberOf: uid=posixusr0,ou=dswinsync,dc=example,dc=com not locked through cn=nsmanageddisabledrole,dc=example,dc=com
 ==> 	-->indirectLock: check if uid=posixusr0,ou=dswinsync,dc=example,dc=com is part of a locked role from base cn=nsmanageddisabledrole,dc=example,dc=com

 ==> 	<--indirectLock: no more nsroledn to process
 ==> 	<--indirectLock: no more nsroledn to process
uid=posixusr0,ou=dswinsync,dc=example,dc=com inactivated (probably directly).

Comment 6 Noriko Hosoi 2015-01-27 00:08:01 UTC

1. This is a bug in posix-winsync plugin.
2. This is not a regression.  The code has been there from the beginning (I guess).
3. IPA does not use posix-winsync plugin for the account enabling/disabling.  It has its own plugin, I think.  Martin or Jenny, could you confirm?
4. And if IPA has its own plugin, could you test this failed case?
4-1. create an account (either DS or AD).
4-2. disable the account on AD.
4-3. enable it back on DS.
If the account is successfully enabled on DS and it's sync'ed to AD, it is free from the bug.

In the posix-plugin, when it receives a request to disable the account from AD, it checks the nsAccountLock explicitly as well as virtually.  If it's not found in the both checks, it does NOT set a flag to tell it is a virtual attribute, then a real "nsAccountLock: true" attr-value pair is added to the user entry.  Once the real nsAccountLock attribute is added to an entry, ns-activate.pl (as well as Console) does not remove it (since it's not implemented for that).

This patch fixes the problem.  I'm going to open a trac ticket.
diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c
index d43e76d..9a70244 100644
--- a/ldap/servers/plugins/posix-winsync/posix-winsync.c
+++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c
@@ -152,6 +152,9 @@ _check_account_lock(Slapi_Entry *ds_entry, int *isvirt)
     int attr_free_flags = 0;
     char *strval;
 
+    if (isvirt) {
+        *isvirt = 1; /* nsAccountLock is implemeted as nsRole */
+    }
     /* first, see if the attribute is a "real" attribute */
     strval = slapi_entry_attr_get_charptr(ds_entry, "nsAccountLock");
     if (strval) { /* value is real */

I agree this is a pretty bad bug, and I'd like to fix it as soon as possible.  But we don't have the enough justification if this does not affect IPA and it is not a regression...?

Comment 7 Noriko Hosoi 2015-01-27 00:11:33 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/48001

Comment 8 Steeve Goveas 2015-01-27 11:51:13 UTC

(In reply to Noriko Hosoi from comment #6)
> 1. This is a bug in posix-winsync plugin.
> 2. This is not a regression.  The code has been there from the beginning (I
> guess).
> 3. IPA does not use posix-winsync plugin for the account enabling/disabling.
> It has its own plugin, I think.  Martin or Jenny, could you confirm?
> 4. And if IPA has its own plugin, could you test this failed case?
> 4-1. create an account (either DS or AD).
> 4-2. disable the account on AD.
> 4-3. enable it back on DS.
> If the account is successfully enabled on DS and it's sync'ed to AD, it is
> free from the bug.

Checked in version 389-ds-base-1.3.3.1-13.el7.x86_64 with ipa-server-4.1.0-16.el7.x86_64.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_winsync_0009: Synchronization behaviour of account lock status
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ipawinsyncacctdisable: both
:: [   PASS   ] :: Winsync account disable set to "both" by default 
:: [ 15:30:55 ] :: Testing with Winsync account disable set to"both"
:: [  BEGIN   ] :: Creating ldif file to reset ipawinsyncacctdisable to "both" :: actually running 'acctdisable_ldif both'
:: [   PASS   ] :: Creating ldif file to reset ipawinsyncacctdisable to "both" (Expected 0, got 0)
:: [  BEGIN   ] :: Setting disabled account to sync to both servers :: actually running 'ldapmodify -x -D "cn=Directory Manager" -w Secret123 -f acctdisable.ldif'
modifying entry "cn=ipa-winsync,cn=plugins,cn=config"

:: [   PASS   ] :: Setting disabled account to sync to both servers (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is enabled on IPA :: actually running 'ipa user-show aduser1 | grep "Account disabled: False"'
  Account disabled: False
:: [   PASS   ] :: aduser1 is enabled on IPA (Expected 0, got 0)
:: [  BEGIN   ] :: Creating ldif file for disabling aduser1 :: actually running 'ADuser_cntrl_ldif aduser1 ads 514'
:: [   PASS   ] :: Creating ldif file for disabling aduser1 (Expected 0, got 0)
:: [  BEGIN   ] :: Disable aduser1 on AD :: actually running 'ldapmodify -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -f ADuser_cntrl.ldif'
modifying entry "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com"

:: [   PASS   ] :: Disable aduser1 on AD (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 disabled in AD :: actually running 'ldapsearch -x -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com" | grep "userAccountControl: 514"'
userAccountControl: 514
:: [   PASS   ] :: aduser1 disabled in AD (Expected 0, got 0)
:: [  BEGIN   ] :: Waiting for sync :: actually running 'sleep 30'
:: [   PASS   ] :: Waiting for sync (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 5'
:: [   PASS   ] :: Command 'sleep 5' (Expected 0, got 0)
:: [  BEGIN   ] :: After sync aduser1 disabled on IPA as well :: actually running 'ipa user-show aduser1 | grep "Account disabled: True"'
  Account disabled: True
:: [   PASS   ] :: After sync aduser1 disabled on IPA as well (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa user-enable aduser1'
------------------------------
Enabled user account "aduser1"
------------------------------
:: [   PASS   ] :: Command 'ipa user-enable aduser1' (Expected 0, got 0)
:: [  BEGIN   ] :: Re-enabled aduser1 from IPA :: actually running 'ipa user-show aduser1 | grep "Account disabled: False"'
  Account disabled: False
:: [   PASS   ] :: Re-enabled aduser1 from IPA (Expected 0, got 0)
:: [  BEGIN   ] :: Giving 5 seconds to inform AD :: actually running 'sleep 5'
:: [   PASS   ] :: Giving 5 seconds to inform AD (Expected 0, got 0)
:: [  BEGIN   ] :: aduser1 is enabled in AD as well :: actually running 'ldapsearch -x -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "CN=aduser1 ads,CN=Users,DC=adrelm,DC=com" | grep "userAccountControl: 512"'
userAccountControl: 512
:: [   PASS   ] :: aduser1 is enabled in AD as well (Expected 0, got 0)

Comment 9 Jenny Severance 2015-01-27 12:29:57 UTC

Thank you Viktor and Steeve!!!

Comment 13 Sankar Ramalingam 2015-07-27 09:07:56 UTC

Followed these steps to verify the bug:
1. Setup winsync/passsync on RHEL7.2 latest with windows 2012r2.
2. Created few users in AD and DS.
3. Waited for the entries to be synced across.
4. Then, ran ldapmodify on AD to disable users.
[root@dhcp35-196 slapd-M1]# ldapmodify -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2012r2.adrelm.com << EOF
dn: CN=nnusrds1,OU=adpasssync,DC=adrelm,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 514
EOF

modifying entry "CN=nnusrds1,OU=adpasssync,DC=adrelm,DC=com"

5. Ldapsearch to check if the user is disabled.
ldapsearch -D "cn=Administrator,cn=users,dc=adrelm,dc=com" -w Secret123  -H ldap://win2012r2.adrelm.com -b "ou=adpasssync,dc=adrelm,dc=com" "userAccountControl"
# nnusrad1, adpasssync, adrelm.com
dn: CN=nnusrad1,OU=adpasssync,DC=adrelm,DC=com
userAccountControl: 514

6. Check if the same user is disabled on DS.
[root@dhcp35-196 slapd-M1]# ns-accountstatus.pl -Z M1  -D "cn=Directory Manager" -w Secret123 -I uid=nnusrad1,ou=dswinsync,dc=passsync,dc=com
uid=nnusrad1,ou=dswinsync,dc=passsync,dc=com  activated.

Result: FAIL

After few mins of wait, the account is automatically enabled on AD. This is really strange.

# nnusrad1, adpasssync, adrelm.com
dn: CN=nnusrad1,OU=adpasssync,DC=adrelm,DC=com
userAccountControl: 512

Comment 14 Sankar Ramalingam 2015-07-27 16:36:32 UTC

Additional details...
1. Automatically account is enabled on AD, if the user account is created/synced and then disabled at AD.
2. If the user account is syned after being disabled, then automatic change of account status from 514 to 512 doesn't occur.
3. Account on DS side is disabled, even though the account is automatically enabled on AD.

Comment 15 Sankar Ramalingam 2015-07-28 09:27:20 UTC

I was keep testing the account enable/disable or activate/inactivate from AD to DS and vice versa. None of the above mentioned issues are reproducible.

Test cases verified:
Account disable sync from DS to AD - PASS
Account enable sync from DS to AD - PASS
Account disable sync from AD to DS - PASS
Account enable sync from AD to DS - PASS

Hence, marking the bug as Verified. 

I will check again, if the issues mentioned above in comment #13 and comment #14 are reproducible.

Comment 16 Sankar Ramalingam 2015-07-28 09:45:44 UTC

Build tested: 389-ds-base-1.3.4.0-8.el7.x86_64

Comment 17 errata-xmlrpc 2015-11-19 11:43:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html

Note You need to log in before you can comment on or make changes to this bug.