-
Bug
-
Resolution: Unresolved
-
Normal
-
None
Description of problem:
Re-enabling user accounts that reached inactivity limit fails with error
Version-Release number of selected component (if applicable):
89-ds-base-libs-2.0.12-1.module+el9dsrv+13429+4f44f3c4.x86_64
389-ds-base-2.0.12-1.module+el9dsrv+13429+4f44f3c4.x86_64
389-ds-base-snmp-2.0.12-1.module+el9dsrv+13429+4f44f3c4.x86_64
389-ds-base-devel-2.0.12-1.module+el9dsrv+13429+4f44f3c4.x86_64
389-ds-base-libs-debuginfo-2.0.12-1.module+el9dsrv+13429+4f44f3c4.x86_64
How reproducible: Always
Steps to Reproduce:
1.) Create a user example on an existing DS instance
ldapadd -D "cn=Directory Manager" -W -p 389 -h localhost -x
dn: uid=example,ou=People,dc=example,dc=com
uid: jdoe
givenName: given_name
objectClass: top
objectClass: organizationalPerson
objectClass: inetorgperson
sn: surname
cn: example
userpassword: password
2.) Create policy to disable inactive account after x days
dsconf -D "cn=Directory Manager" ldap://localhost plugin account-policy enable
Configure the plug-in configuration entry:
dsconf -D "cn=Directory Manager" ldap://localhost plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
Restart the instance:
- dsctl instance_name restart
Create the account expiration policy entry:
- ldapadd -D "cn=Directory Manager" -W -H ldap://localhost -x
dn: cn=Account Expiration Policy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
accountInactivityLimit: 5184000
cn: Account Expiration Policy
The value in the accountInactivityLimit attribute configures that accounts expire 5184000 seconds (60 days) after they have been created.
Create the CoS template entry:
- ldapadd -D "cn=Directory Manager" -W -H ldap://localhost -x
dn: cn=TemplateCoS,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: cosTemplate
acctPolicySubentry: cn=Account Expiration Policy,dc=example,dc=com
This template entry references the account expiration policy.
Create the CoS definition entry:
- ldapadd -D "cn=Directory Manager" -W -H ldap://localhost -x
dn: cn=DefinitionCoS,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cosTemplateDn: cn=TemplateCoS,dc=example,dc=com
cosAttribute: acctPolicySubentry default operational-default
Set last login time to the past
ldapmodify -H ldap://localhost -x -D "cn=Directory Manager" -W
Enter LDAP Password:
dn: uid=example,ou=People,dc=example,dc=com
changetype: modify
replace: lastLoginTime
lastLoginTime: 20210101000000Z
modifying entry "uid=example,ou=People,dc=example,dc=com"
3.) Simulate use with inactive account
ldapsearch -H ldap://localhost -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Constraint violation (19)
additional info: Account inactivity limit exceeded. Contact system administrator to reset.
4.) Verify user is rendered inactive
5.) Reactivate account
Reactivate the account using the dsconf account unlock command:
Observe error below:
dsidm -D "cn=Directory Manager" ldap://localhost -b "dc=example,dc=com" account unlock "uid=example,ou=People,dc=example,dc=com"
Enter password for cn=Directory Manager on ldap://localhost:
Error: float() argument must be a string or a number, not 'NoneType'
Actual results:
Expected results:
Additional info:
- external trackers
