Hide Forgot
This bug has been copied from bug #1379824 and has been proposed to be backported to 7.3 z-stream (EUS).
Old version: 389-ds-base-1.3.5.10-11.el7.x86_64 [0 root@qeos-210 ~]# ldapsearch -D cn=tuser,ou=People,dc=example,dc=com -w Secret123 -b dc=example,dc=com ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset. [0 root@qeos-210 ~]# ns-accountstatus.pl -D cn=Directory\ Manager -w Secret123 -I cn=tuser,ou=People,dc=example,dc=com -V; echo $? Entry: cn=tuser,ou=People,dc=example,dc=com Entry Creation Date: 20161114134622Z (11/14/2016 08:46:22) Entry Modification Date: 20161114141206Z (11/14/2016 09:12:06) Last Login Date: 20161114141228Z (11/14/2016 09:12:28) Entry State: activated 102 New version: 389-ds-base-1.3.5.10-12.el7_3.x86_64 [0 root@qeos-210 ~]# ldapsearch -D cn=tuser,ou=People,dc=example,dc=com -w Secret123 -b dc=example,dc=com ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset. [0 root@qeos-210 ~]# ns-accountstatus.pl -D cn=Directory\ Manager -w Secret123 -I cn=tuser,ou=People,dc=example,dc=com -V; echo $? Entry: cn=tuser,ou=People,dc=example,dc=com Entry Creation Date: 20161114134622Z (11/14/2016 08:46:22) Entry Modification Date: 20161114141206Z (11/14/2016 09:12:06) Last Login Date: 20161114141228Z (11/14/2016 09:12:28) Inactivity Limit: 120 seconds (2 minutes) Time Until Inactive: - Time Since Inactivated: 692 seconds (11 minutes, 32 seconds) Entry State: inactivated (inactivity limit exceeded) 103 Marking as VERIFIED.
Adding my comments... Enabled account policy plugin and added few users to suffix. Then, I ran ns-activate.pl, ns-inactivate.pl and ns-accocuntstatus.pl. All of them showed the correct status. [root@dell-pe-fc630-01 ~]# PORT=19089; /usr/bin/ldapsearch -LLL -x -p $PORT -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" |egrep 'accountInactivityLimit|alwaysrecordlogin' alwaysrecordlogin: yes limitattrname: accountInactivityLimit accountInactivityLimit: 120 [root@dell-pe-fc630-01 ~]# systemctl restart dirsrv.target [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com already activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 100 [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-inactivate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com inactivated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 0 [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-inactivate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com already inactivated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 100 [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-accountstatus.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com - inactivated (directly locked). [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 103 [root@dell-pe-fc630-01 MMR_WINSYNC]# [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=testusr3,ou=people,dc=example,dc=com"; ns-accountstatus.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=testusr3,ou=people,dc=example,dc=com - inactivated (inactivity limit exceeded). [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com already activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; /usr/bin/ldapsearch -x -p $PORT -h localhost -D "$USER3" -w Secret123 -b "$USER3" ldap_bind: Constraint violation (19) additional info: Account inactivity limit exceeded. Contact system administrator to reset. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19089; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-accountstatus.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com - inactivated (inactivity limit exceeded). Build tested: [root@dell-pe-fc630-01 MMR_WINSYNC]# rpm -qa |grep -i 389-ds 389-ds-base-libs-1.3.5.10-12.el7_3.x86_64 389-ds-base-devel-1.3.5.10-12.el7_3.x86_64 389-ds-base-1.3.5.10-12.el7_3.x86_64
But, no account policy plugin configured, the ns-activate.pl shows exit status "0" for users which are activated already. Its supposed to be returning 100 for already activated users. This issue seems to be not fixed, though!. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19039; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-inactivate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com inactivated. [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19039; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-inactivate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com already inactivated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 100 [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19039; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 0 [root@dell-pe-fc630-01 MMR_WINSYNC]# PORT=19039; USER3="uid=yestusr3,ou=people,dc=example,dc=com"; ns-activate.pl -D "cn=Directory Manager" -w Secret123 -h localhost -p $PORT -Z testinst2 -I $USER3 uid=yestusr3,ou=people,dc=example,dc=com activated. [root@dell-pe-fc630-01 MMR_WINSYNC]# echo $? 0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2879.html