Bug 2174161 - [RFE] Required to support both at a same time account inactivity and expiration. [12.3]
Summary: [RFE] Required to support both at a same time account inactivity and expirati...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: 389-ds-base
Version: 11.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: DS12.3
: dirsrv-12.3
Assignee: mreynolds
QA Contact: LDAP QA Team
Mugdha Soni
URL:
Whiteboard: sync-to-jira
: 2174160 (view as bug list)
Depends On:
Blocks: 2265541
TreeView+ depends on / blocked
 
Reported: 2023-02-28 18:38 UTC by Danish Shaikh
Modified: 2024-04-03 13:41 UTC (History)
12 users (show)

Fixed In Version: redhat-ds-12-9030020230711000312-1674d57
Doc Type: Enhancement
Doc Text:
.The `checkAllStateAttrs` configuration option is now available You can apply both account inactivity and password expiration when a user authenticates by using the `checkAllStateAttrs` setting. When you enable this parameter, it checks the main state attribute and, if the account information is correct, it then checks the alternate state attribute.
Clone Of:
: 2265541 (view as bug list)
Environment:
Last Closed: 2023-11-21 15:13:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 5749 0 None closed RFE - allow account policy plugin to handle both inactivity and password expiration 2023-09-26 23:39:26 UTC
Red Hat Issue Tracker IDMDS-2947 0 None None None 2023-04-17 17:15:57 UTC
Red Hat Issue Tracker IDMDS-3521 0 None None None 2023-08-09 09:39:17 UTC
Red Hat Product Errata RHEA-2023:7429 0 None None None 2023-11-21 15:13:34 UTC

Description Danish Shaikh 2023-02-28 18:38:02 UTC 
Description of problem:

when creating Account Policy plug-in configuration entry stateAttrName can be either lastLoginTime or createTimestamp.

As a part of customer security compliancy, we are required to support both account inactivity and expiration. This is an urgent requirement which we are trying to realise through RHDS.



Version-Release number of selected component (if applicable):

RHDS 11.


How reproducible:

20.10.2. Account Inactivity and Account Expiration
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/account-policy-plugin


Actual results:

- The alternate attribute  option is a fallback when the primary attribute does not exist.

- You can set a secondary attribute in altStateAttrName, that is checked if the primary one defined in stateAttrName does not exist"



Expected results:

As a part of customer security compliance, we are required to support both account inactivity and expiration. 


Additional info:
Comment 2 mreynolds 2023-03-29 14:52:46 UTC 
*** Bug 2174160 has been marked as a duplicate of this bug. ***
Comment 6 mreynolds 2023-05-02 16:57:31 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5749
Comment 7 mreynolds 2023-05-02 17:51:42 UTC 
Design Doc:

https://www.port389.org/docs/389ds/design/account-policy-inactivity-and-expiration-design.html
Comment 18 bsmejkal 2023-09-13 13:03:52 UTC 
============================================================================================================ test session starts =============================================================================================================
platform linux -- Python 3.9.17, pytest-7.4.2, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.9.17', 'Platform': 'Linux-5.14.0-362.2.1.el9_3.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '7.4.2', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '3.0.0', 'html': '4.0.1', 'libfaketime': '0.1.2', 'flaky': '3.7.0'}}
389-ds-base: 2.3.6-4.module+el9dsrv+19950+6ff0d0d4
nss: 3.90.0-3.el9_2
nspr: 4.35.0-3.el9_2
openldap: 2.6.3-1.el9
cyrus-sasl: 2.1.27-21.el9
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests
configfile: pytest.ini
plugins: metadata-3.0.0, html-4.0.1, libfaketime-0.1.2, flaky-3.7.0
collected 1 item                                                                                                                                                                                                                             

dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py::test_inactivty_and_expiration PASSED                                                                                                                            [100%]

============================================================================================================= 1 passed in 37.51s =============================================================================================================

Marking as VERIFIED.
Comment 21 errata-xmlrpc 2023-11-21 15:13:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:7429
Note You need to log in before you can comment on or make changes to this bug.