RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 835238 - Account Usability Control Not Working
Summary: Account Usability Control Not Working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
URL:
Whiteboard:
Depends On:
Blocks: 836251
TreeView+ depends on / blocked
 
Reported: 2012-06-25 19:57 UTC by Sankar Ramalingam
Modified: 2020-09-13 20:13 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Underlying layer that Account Usability Control calls was improperly changed. Consequence: Account Usability Control could not be used. Fix: This version fixed the bug. Result: Account Usability Control is available.
Clone Of:
Environment:
Last Closed: 2013-02-21 08:19:54 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
git patch file (redhat/rhel-6.3) (4.57 KB, patch)
2012-06-26 23:52 UTC, Noriko Hosoi
nhosoi: review?
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 396 0 None None None 2020-09-13 20:13:00 UTC
Red Hat Product Errata RHSA-2013:0503 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Sankar Ramalingam 2012-06-25 19:57:06 UTC
Description of problem: Account Usability Control fails to give relevant error messages for the password expired/account locked users.


Version-Release number of selected component (if applicable): 389-ds-base-1.2.11


How reproducible: Consistently


Steps to Reproduce:
1. Install latest 389-ds-base.
2. Configure Global password policy. Use pwpol.ldif
3. Create few user accounts and wait till account password is expired.
4. Bind as normal user with invalid password and lock the account.
5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option with the Account Usable Control and check whether you get the right error message.

OpenDS client libraries available in TET.
https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients

cat pwpol.ldif
dn: cn=config
changetype: modify
replace: passwordexp
passwordexp: on
-
replace: passwordhistory
passwordhistory: on
-
replace: passwordlockout
passwordlockout: on
-
replace: passwordlockoutduration
passwordlockoutduration: 600
-
replace: passwordmaxage
passwordmaxage: 300
-
replace: passwordmaxfailure
passwordmaxfailure: 3
-
replace: passwordminage
passwordminage: 0
-
replace: passwordresetfailurecount
passwordresetfailurecount: 60
-
replace: passwordunlock
passwordunlock: on
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA
-
replace: passwordwarning
passwordwarning: 180

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
Additional Information:  password expired!
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J "accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com

--------
[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version
OpenDS Directory Server 2.3.0-build003
Build 20100611154447Z
-- 
           Name                 Build number         Revision number
Extension: snmp-mib2605         2.3.0-build003       6500
--------
PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*"  "dn: uid=*"

Hence, marking the status as "ASSIGNED".
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com
--------

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234 -b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  19 (Constraint Violation)
Additional Information:  Exceed password retry limit. Please try later.
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusblockusr9,ou=People,dc=passwordexp,dc=com"  -s sub -J "accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com
--------

Result: FAIL - Account Usability Response Control fails to produce useful information about the user account. The similar kind of result is observed with the "ldapsearch.pl" script provided in tet.
  
Actual results: Account Usable Control feature is not working.


Expected results: It should work as expected. It should give proper error messages for the ldapsearch.

Comment 2 Nathan Kinder 2012-06-26 21:29:33 UTC
Upstream ticket:
https://fedorahosted.org/389/ticket/396

Comment 3 Noriko Hosoi 2012-06-26 23:52:02 UTC
Created attachment 594638 [details]
git patch file (redhat/rhel-6.3)

Fix Description: Commit 003812911f56619f0db58ba627037644fb0f68fb
broke the feature.  This patch is backing off the change so that
get_entry accepts NULL pblock, which is necessary for the
Account Usability plugin.

Comment 4 Noriko Hosoi 2012-06-27 01:09:26 UTC
Steps to verify:
RHEL63 Acceptance/Password (pwdpolicy/pwpolicy)
  Ported account usability test cases from trunk.
  testcases/DS/6.0/pwpolicy/
  M    pwdpolicy.sh

  data/DS/6.0/pwpolicy/
  A    en/acctlusr
  AM   en/ldapsearch1.pl
  A    en/noctlusr

===== [Pass/Fail] break down =====
Test Name               PASS 	FAIL 	NORESULT
Password startup        100% (1/1) 	  	 
password policy run     100% (305/305)

Comment 6 Sankar Ramalingam 2012-06-27 11:34:53 UTC
(In reply to comment #4)
> Steps to verify:
> RHEL63 Acceptance/Password (pwdpolicy/pwpolicy)
>   Ported account usability test cases from trunk.
>   testcases/DS/6.0/pwpolicy/
>   M    pwdpolicy.sh
> 
>   data/DS/6.0/pwpolicy/
>   A    en/acctlusr
>   AM   en/ldapsearch1.pl
>   A    en/noctlusr
> 
> ===== [Pass/Fail] break down =====
> Test Name               PASS 	FAIL 	NORESULT
> Password startup        100% (1/1) 	  	 
> password policy run     100% (305/305)
These changes are not yet part of execution since I was not sure what would be the error messages if its PASS/FAIL. I will make necessary changes and check-in the required stuff to both rhel63 and trunk.

Comment 8 Sankar Ramalingam 2012-06-29 14:58:04 UTC
Updated the pwploicy test suite with the Account Usability Control test cases. I also copied the OpenDS clients to TET. I made the tests to run and produce results based on opends clients.

Comment 9 Amita Sharma 2012-07-03 13:48:38 UTC
Password startup 	100% (1/1) 	  	 
password policy run 	100% (305/305)

On both i386 and x86_64.
Hence marking as VERIFIED.

Comment 12 Amita Sharma 2012-11-16 07:58:45 UTC
RPM :: 389-ds-base-1.2.11.15-3.el6
All Account usability control tests on 64 and 32 bit machines on RHEL64 are passing.
Hence marking bug as VERIFIED.

Comment 13 errata-xmlrpc 2013-02-21 08:19:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html


Note You need to log in before you can comment on or make changes to this bug.