Issue 9293 - slapo-ppolicy stores pwdGraceUseTime only with seconds
Summary: slapo-ppolicy stores pwdGraceUseTime only with seconds
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: overlays (show other issues)
Version: 2.4.50
Hardware: All All
: --- normal
Target Milestone: 2.5.2
Assignee: Ondřej Kuzník
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-16 14:11 UTC by Michael Ströder
Modified: 2021-02-24 18:13 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Michael Ströder 2020-07-16 14:11:18 UTC 
If password is expired slapo-ppolicy can return the number of grace logins for changing own password (graceAuthNsRemaining).

slapd derives graceAuthNsRemaining from number of pwdGraceUseTime values. But those timestamps are only stored with a granularity of a second.

Thus multiple grace logins are possible within a second without decremeting graceAuthNsRemaining value.

This is unexpected and also leads to absurd work-arounds when writing automated tests like this:

https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py#L210

Either a real Integer counter should be used or fraction of seconds should be used in pwdGraceUseTime values.

This is a similar problem like pwdFailureTime solved in ITS#7161.
Comment 1 Quanah Gibson-Mount 2021-02-24 18:12:46 UTC 
  • a3c49b87 
by Ondřej Kuzník at 2021-02-24T17:03:22+00:00 
ITS#9293 Store microseconds in pwdGraceUseTime