Bug 835238 - Account Usability Control Not Working
Account Usability Control Not Working
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.3
All Linux
high Severity high
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
: ZStream
Depends On:
Blocks: 836251
  Show dependency treegraph
 
Reported: 2012-06-25 15:57 EDT by Sankar Ramalingam
Modified: 2013-02-21 03:19 EST (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Underlying layer that Account Usability Control calls was improperly changed. Consequence: Account Usability Control could not be used. Fix: This version fixed the bug. Result: Account Usability Control is available.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:19:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
git patch file (redhat/rhel-6.3) (4.57 KB, patch)
2012-06-26 19:52 EDT, Noriko Hosoi
nhosoi: review?
Details | Diff

  None (edit)
Description Sankar Ramalingam 2012-06-25 15:57:06 EDT
Description of problem: Account Usability Control fails to give relevant error messages for the password expired/account locked users.


Version-Release number of selected component (if applicable): 389-ds-base-1.2.11


How reproducible: Consistently


Steps to Reproduce:
1. Install latest 389-ds-base.
2. Configure Global password policy. Use pwpol.ldif
3. Create few user accounts and wait till account password is expired.
4. Bind as normal user with invalid password and lock the account.
5. Run ldapsearch(Use openDS clients) as Directory Manager user with -J option with the Account Usable Control and check whether you get the right error message.

OpenDS client libraries available in TET.
https://svn.devel.redhat.com/repos/DStetframework/trunk/data/DS/6.0/clients

cat pwpol.ldif
dn: cn=config
changetype: modify
replace: passwordexp
passwordexp: on
-
replace: passwordhistory
passwordhistory: on
-
replace: passwordlockout
passwordlockout: on
-
replace: passwordlockoutduration
passwordlockoutduration: 600
-
replace: passwordmaxage
passwordmaxage: 300
-
replace: passwordmaxfailure
passwordmaxfailure: 3
-
replace: passwordminage
passwordminage: 0
-
replace: passwordresetfailurecount
passwordresetfailurecount: 60
-
replace: passwordunlock
passwordunlock: on
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA
-
replace: passwordwarning
passwordwarning: 180

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusbnewa9,ou=people,dc=passwordexp,dc=com" -w Secret123 -b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
Additional Information:  password expired!
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J "accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com

--------
[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch --version
OpenDS Directory Server 2.3.0-build003
Build 20100611154447Z
-- 
           Name                 Build number         Revision number
Extension: snmp-mib2605         2.3.0-build003       6500
--------
PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusbnewa9,ou=People,dc=passwordexp,dc=com"  -s sub -J "1.3.6.1.4.1.42.2.27.9.5.8" "objectClass=*"  "dn: uid=*"

Hence, marking the status as "ASSIGNED".
# Account Usability Response Control
#   The account is usable
dn: uid=accusbnewa9,ou=People,dc=passwordexp,dc=com
--------

[root@newsankarlapy MMR_SCRIPTS]# /export/opends/bin/ldapsearch -p 1389 -h localhost -D "uid=accusblockusr9,ou=people,dc=passwordexp,dc=com" -w Secret1234 -b "cn=config" objectclass=*
The simple bind attempt failed
Result Code:  19 (Constraint Violation)
Additional Information:  Exceed password retry limit. Please try later.
--------
[root@newsankarlapy MMR_SCRIPTS]# PORT=1389; /export/opends/bin/ldapsearch -D "cn=Directory Manager" -w Secret123 -p $PORT -h localhost -b "uid=accusblockusr9,ou=People,dc=passwordexp,dc=com"  -s sub -J "accountusability:true" "objectClass=*"  "dn: uid=*"
# Account Usability Response Control
#   The account is usable
dn: uid=accusblockusr9,ou=People,dc=passwordexp,dc=com
--------

Result: FAIL - Account Usability Response Control fails to produce useful information about the user account. The similar kind of result is observed with the "ldapsearch.pl" script provided in tet.
  
Actual results: Account Usable Control feature is not working.


Expected results: It should work as expected. It should give proper error messages for the ldapsearch.
Comment 2 Nathan Kinder 2012-06-26 17:29:33 EDT
Upstream ticket:
https://fedorahosted.org/389/ticket/396
Comment 3 Noriko Hosoi 2012-06-26 19:52:02 EDT
Created attachment 594638 [details]
git patch file (redhat/rhel-6.3)

Fix Description: Commit 003812911f56619f0db58ba627037644fb0f68fb
broke the feature.  This patch is backing off the change so that
get_entry accepts NULL pblock, which is necessary for the
Account Usability plugin.
Comment 4 Noriko Hosoi 2012-06-26 21:09:26 EDT
Steps to verify:
RHEL63 Acceptance/Password (pwdpolicy/pwpolicy)
  Ported account usability test cases from trunk.
  testcases/DS/6.0/pwpolicy/
  M    pwdpolicy.sh

  data/DS/6.0/pwpolicy/
  A    en/acctlusr
  AM   en/ldapsearch1.pl
  A    en/noctlusr

===== [Pass/Fail] break down =====
Test Name               PASS 	FAIL 	NORESULT
Password startup        100% (1/1) 	  	 
password policy run     100% (305/305)
Comment 6 Sankar Ramalingam 2012-06-27 07:34:53 EDT
(In reply to comment #4)
> Steps to verify:
> RHEL63 Acceptance/Password (pwdpolicy/pwpolicy)
>   Ported account usability test cases from trunk.
>   testcases/DS/6.0/pwpolicy/
>   M    pwdpolicy.sh
> 
>   data/DS/6.0/pwpolicy/
>   A    en/acctlusr
>   AM   en/ldapsearch1.pl
>   A    en/noctlusr
> 
> ===== [Pass/Fail] break down =====
> Test Name               PASS 	FAIL 	NORESULT
> Password startup        100% (1/1) 	  	 
> password policy run     100% (305/305)
These changes are not yet part of execution since I was not sure what would be the error messages if its PASS/FAIL. I will make necessary changes and check-in the required stuff to both rhel63 and trunk.
Comment 8 Sankar Ramalingam 2012-06-29 10:58:04 EDT
Updated the pwploicy test suite with the Account Usability Control test cases. I also copied the OpenDS clients to TET. I made the tests to run and produce results based on opends clients.
Comment 9 Amita Sharma 2012-07-03 09:48:38 EDT
Password startup 	100% (1/1) 	  	 
password policy run 	100% (305/305)

On both i386 and x86_64.
Hence marking as VERIFIED.
Comment 12 Amita Sharma 2012-11-16 02:58:45 EST
RPM :: 389-ds-base-1.2.11.15-3.el6
All Account usability control tests on 64 and 32 bit machines on RHEL64 are passing.
Hence marking bug as VERIFIED.
Comment 13 errata-xmlrpc 2013-02-21 03:19:54 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Note You need to log in before you can comment on or make changes to this bug.