Red Hat Bugzilla – Bug 835238
Account Usability Control Not Working
Last modified: 2013-02-21 03:19:54 EST
Description of problem: Account Usability Control fails to give relevant error messages for the password expired/account locked users. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11 How reproducible: Consistently Steps to Reproduce: 1. Install latest 389-ds-base. 2. Configure Global password policy. Use pwpol.ldif 3. Create few user accounts and wait till account password is expired. 4. Bind as normal user with invalid password and lock the account. 5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option with the Account Usable Control and check whether you get the right error message. OpenDS client libraries available in TET. https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients cat pwpol.ldif dn: cn=config changetype: modify replace: passwordexp passwordexp: on - replace: passwordhistory passwordhistory: on - replace: passwordlockout passwordlockout: on - replace: passwordlockoutduration passwordlockoutduration: 600 - replace: passwordmaxage passwordmaxage: 300 - replace: passwordmaxfailure passwordmaxfailure: 3 - replace: passwordminage passwordminage: 0 - replace: passwordresetfailurecount passwordresetfailurecount: 60 - replace: passwordunlock passwordunlock: on - replace: passwordStorageScheme passwordStorageScheme: SSHA - replace: passwordwarning passwordwarning: 180 [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b "cn=config" objectclass=* The simple bind attempt failed Result Code: 49 (Invalid Credentials) Additional Information: password expired! -------- [root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com" -s sub -J "accountusability:true" "objectClass=*" "dn: uid=*" # Account Usability Response Control # The account is usable dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com -------- [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version OpenDS Directory Server 2.3.0-build003 Build 20100611154447Z -- Name Build number Revision number Extension: snmp-mib2605 2.3.0-build003 6500 -------- PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com" -s sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*" "dn: uid=*" Hence, marking the status as "ASSIGNED". # Account Usability Response Control # The account is usable dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com -------- [root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234 -b "cn=config" objectclass=* The simple bind attempt failed Result Code: 19 (Constraint Violation) Additional Information: Exceed password retry limit. Please try later. -------- [root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusblockusr9,ou=People,dc=passwordexp,dc=com" -s sub -J "accountusability:true" "objectClass=*" "dn: uid=*" # Account Usability Response Control # The account is usable dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com -------- Result: FAIL - Account Usability Response Control fails to produce useful information about the user account. The similar kind of result is observed with the "ldapsearch.pl" script provided in tet. Actual results: Account Usable Control feature is not working. Expected results: It should work as expected. It should give proper error messages for the ldapsearch.
Upstream ticket: https://fedorahosted.org/389/ticket/396
Created attachment 594638 [details] git patch file (redhat/rhel-6.3) Fix Description: Commit 003812911f56619f0db58ba627037644fb0f68fb broke the feature. This patch is backing off the change so that get_entry accepts NULL pblock, which is necessary for the Account Usability plugin.
Steps to verify: RHEL63 Acceptance/Password (pwdpolicy/pwpolicy) Ported account usability test cases from trunk. testcases/DS/6.0/pwpolicy/ M pwdpolicy.sh data/DS/6.0/pwpolicy/ A en/acctlusr AM en/ldapsearch1.pl A en/noctlusr ===== [Pass/Fail] break down ===== Test Name PASS FAIL NORESULT Password startup 100% (1/1) password policy run 100% (305/305)
(In reply to comment #4) > Steps to verify: > RHEL63 Acceptance/Password (pwdpolicy/pwpolicy) > Ported account usability test cases from trunk. > testcases/DS/6.0/pwpolicy/ > M pwdpolicy.sh > > data/DS/6.0/pwpolicy/ > A en/acctlusr > AM en/ldapsearch1.pl > A en/noctlusr > > ===== [Pass/Fail] break down ===== > Test Name PASS FAIL NORESULT > Password startup 100% (1/1) > password policy run 100% (305/305) These changes are not yet part of execution since I was not sure what would be the error messages if its PASS/FAIL. I will make necessary changes and check-in the required stuff to both rhel63 and trunk.
Updated the pwploicy test suite with the Account Usability Control test cases. I also copied the OpenDS clients to TET. I made the tests to run and produce results based on opends clients.
Password startup 100% (1/1) password policy run 100% (305/305) On both i386 and x86_64. Hence marking as VERIFIED.
RPM :: 389-ds-base-1.2.11.15-3.el6 All Account usability control tests on 64 and 32 bit machines on RHEL64 are passing. Hence marking bug as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html