search

LDAPAccountManager / lam

LDAP Account Manager
https://www.ldap-account-manager.org
Other
430 stars 70 forks source link

Locking multiple accounts doesn't show in LAM user profiles #356

Closed mrabey closed 1 month ago

mrabey commented 1 month ago

I am using LDAP Account Manager Pro v7.5 on a self-hosted OpenLDAP server. Due to the nature of this multi-tenant environment and that multiple people come and go from teams on a monthly basis, locking specific accounts at the same time is tedious doing it one at a time manually. With that being said, I have written a small shell script that I can execute on the LDAP server itself that uses the ldapsearch and ldapmodify CLI tools in order to affect the underlying LDAP server entries.

Given that, I tested to see what the internal LDAP fields were used for locking an account. When pressing the Lock Account button under the "Password Policy" section of a specific user, I noticed that the pwdAccountLockedTime field was set with a value of 000001010000Z to indicate that it has been locked permanently. That's all well and good, but when I add that field to a user using the ldapmodify file with example contents:

dn: cn=bob,ou=people,dc=example,dc=com
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTIme: 000001010000Z

I noticed that the "Password Policy" of that user bob does not reflect what the internal fields look like. Instead of seeing the button state of Unlock Account, I see that the button still states Lock Account. Furthermore, I notice that the Password Policy field in that same screen has been reset to default. While that screen shows incorrect data, the actual internal fields for the user bob still reflect the correct information. The pwdAccountLockedTime exists and is set to 000001010000Z and the pwdPolicySubentry is still the correct DN of cn=lockAcc,ou=pwpolicy,dc=example,dc=com.

So the issue is that the "Password Policy" screen for a user doesn't properly illustrate the internal state of the fields for that LDAP user.

gruberroland commented 1 month ago

I think there is an issue with the locked time. It should be "00000101000000Z".

About the pwdPolicySubentry I was not able to reproduce this with LAM Pro 8.8.

gruberroland commented 1 month ago

I suggest to upgrade to LAM Pro 8.8 as 7.5 is multiple years old already.