Bug 476261 - Compare operation in nsaccountlock returns error
Compare operation in nsaccountlock returns error
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Unknown (Show other bugs)
1.1.3
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
https://www.redhat.com/archives/fedor...
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-12-12 14:38 EST by Daniel Cristian Cruz
Modified: 2015-01-04 18:35 EST (History)
3 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:08:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
cvs diff ldapserver/ldap/servers/plugins/cos/cos_cache.c (912 bytes, patch)
2009-02-13 18:57 EST, Noriko Hosoi
no flags Details | Diff
cvs commit message (622 bytes, text/plain)
2009-02-16 12:27 EST, Noriko Hosoi
no flags Details

  None (edit)
Description Daniel Cristian Cruz 2008-12-12 14:38:34 EST
Description of problem: compare operation against nsaccountlock returns error even if account is locked

Version-Release number of selected component (if applicable): 1.1.3

How reproducible: easy

Steps to Reproduce:
1. lock the account
2. use a compare operation with attribute 'nsaccountlock' and value 'true'
  
Actual results: No attribute (error 16)

Expected results: True?

Additional info: https://www.redhat.com/archives/fedora-directory-users/2008-December/msg00086.html
Comment 1 Rich Megginson 2008-12-12 15:33:07 EST
I think the problem may be that operational attributes do not work with the compare operation.  You tried with a regular attribute and compare works, correct?
Comment 2 Daniel Cristian Cruz 2008-12-12 16:52:33 EST
Yes, as shown in the thread, when used with a regular attribte it works.

Just get error message using nsaccountlock.
Comment 3 Noriko Hosoi 2009-02-13 18:57:48 EST
Created attachment 331887 [details]
cvs diff ldapserver/ldap/servers/plugins/cos/cos_cache.c

Description: Compare function for the CoS attribute cos_cache_cmp_attr failed to set the result.

By setting the right return code, the nsAccountLock matches true if the user's account is inactivated.
$ ldapcompare -D "cn=Directory Manager" -w <password> nsAccountLock:True "uid=tuser0,dc=example,dc=com"
comparing type: "nsAccountLock" value: "True" in entry "uid=tuser0,dc=example,dc=com"
compare TRUE
$ ldapcompare -D "cn=Directory Manager" -w <password> nsAccountLock:False "uid=tuser0,dc=example,dc=com"
comparing type: "nsAccountLock" value: "False" in entry "uid=tuser0,dc=example,dc=com"
compare FALSE

Note: once the user is activated, the compare command returns "No such attribute" (regardless of the value to compare, of course):
$ ldapcompare -D "cn=Directory Manager" -w <password> nsAccountLock:True "uid=tuser0,dc=example,dc=com"
comparing type: "nsAccountLock" value: "True" in entry "uid=tuser0,dc=example,dc=com"
ldap_compare: No such attribute
$ ldapcompare -D "cn=Directory Manager" -w <password> nsAccountLock:False "uid=tuser0,dc=example,dc=com"
comparing type: "nsAccountLock" value: "False" in entry "uid=tuser0,dc=example,dc=com"
ldap_compare: No such attribute
Comment 4 Noriko Hosoi 2009-02-16 12:27:48 EST
Created attachment 332061 [details]
cvs commit message

Reviewed by Rich (Thank you!!)

Checked in into CVS HEAD.
Comment 5 Jenny Galipeau 2009-03-19 12:59:54 EDT
fix verifiedd DS 8.1 RHEL 5

Inactive User:

[root@jennyv2 ~]# /usr/lib/mozldap/ldapcompare -D "cn=Directory Manager" -w Secret123 nsAccountLock:True "uid=ryan,ou=people,dc=example,dc=com"
comparing type: "nsAccountLock" value: "True" in entry "uid=ryan,ou=people,dc=example,dc=com"
compare TRUE
[root@jennyv2 ~]# /usr/lib/mozldap/ldapcompare -D "cn=Directory Manager" -w Secret123 nsAccountLock:False "uid=ryan,ou=people,dc=example,dc=com"
comparing type: "nsAccountLock" value: "False" in entry "uid=ryan,ou=people,dc=example,dc=com"
compare FALSE

Active User:

[root@jennyv2 ~]# /usr/lib/mozldap/ldapcompare -D "cn=Directory Manager" -w Secret123 nsAccountLock:True "uid=ryan,ou=people,dc=example,dc=com"
comparing type: "nsAccountLock" value: "True" in entry "uid=ryan,ou=people,dc=example,dc=com"
ldap_compare: No such attribute
[root@jennyv2 ~]# /usr/lib/mozldap/ldapcompare -D "cn=Directory Manager" -w Secret123 nsAccountLock:False "uid=ryan,ou=people,dc=example,dc=com"
comparing type: "nsAccountLock" value: "False" in entry "uid=ryan,ou=people,dc=example,dc=com"
ldap_compare: No such attribute
Comment 6 Chandrasekar Kannan 2009-04-29 19:08:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.