(ITS#8623) test022-ppolicy can fail due to timing dependency between lockout and expiration tests

[subbarao@computer.org]

Full_Name: Kartik Subbarao
Version: 2.4.44
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (108.52.86.252)


A recent 2.4.44 package build failed on a VM due to the following timing
dependency between the lockout and expiration tests in test022-ppolicy.

The problem is that the password expiration time is 30 seconds, and on slower
VMs, lines 67-91 take more than 30 seconds to execute. This causes the password
to expire by the time the ldapsearch command on line 93 is executed. That
ldapsearch command eats up one of the grace logins that's not supposed to be
consumed until line 106. This causes the grep count on line 124 to be off,
failing the entire script.

A simple improvement would be to change line 91 to "sleep 10" instead of the
current "sleep 20". This would buy 10 more seconds of leeway on slower VMs,
while guaranteeing sufficient delay between lines 67-90 (e.g. 16 seconds, 1
second more than the 15 second lockout time) on fast VMs. A more robust
improvement would be to check how much time has actually elapsed between lines
67-90 and change line 91 to only sleep until 16 total seconds have elapsed since
line 67.

Another suggestion would be to change the "sleep 20" on line 104 to "sleep 15".
That will shave 5 seconds off the build time for everyone, while still
guaranteeing that 31 seconds (e.g. 1 second more than the 30 second expiration
time) will have elapsed between lines 67-106).

A further optimization could be implemented, if desired, by revisiting the test
and reducing all lockout times, expiration times, and other delays to the bare
minimum necessary, which would speed up package build times across the board.