[Issue 9293] New: slapo-ppolicy stores pwdGraceUseTime only with seconds

16 Jul 2020


      https://bugs.openldap.org/show_bug.cgi?id=9293
Issue ID: 9293
           Summary: slapo-ppolicy stores pwdGraceUseTime only with seconds
           Product: OpenLDAP
           Version: 2.4.50
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: overlays
          Assignee: bugs@openldap.org
          Reporter: michael@stroeder.com
  Target Milestone: ---
If password is expired slapo-ppolicy can return the number of grace logins for
changing own password (graceAuthNsRemaining).
slapd derives graceAuthNsRemaining from number of pwdGraceUseTime values. But
those timestamps are only stored with a granularity of a second.
Thus multiple grace logins are possible within a second without decremeting
graceAuthNsRemaining value.
This is unexpected and also leads to absurd work-arounds when writing automated
tests like this:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/tests/test_ppolicy.py#L...
Either a real Integer counter should be used or fraction of seconds should be
used in pwdGraceUseTime values.
This is a similar problem like pwdFailureTime solved in ITS#7161.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9293] New: slapo-ppolicy stores pwdGraceUseTime only with seconds