From 5d2afc232c6f98addb7810e6573f652a02a00f34 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 4 Dec 2024 15:39:58 -0500
Subject: [PATCH] Issue 6432 - Crash during bind when acct policy plugin does
 not have "alwaysrecordlogin" set

Description:

If alwaysrecordlogin is off then we dereference NULL ptr cfg->login_history_attr
when trying to write the history/time value. Instead we should skip
over this code if it is not set.

Relates: https://github.com/389ds/389-ds-base/issues/6432

Reviewed by: tbordaz(Thanks!)
---
 .../accpol_check_all_state_attrs_test.py      | 77 ++++++++++++++++++-
 ldap/servers/plugins/acctpolicy/acct_plugin.c |  4 +-
 2 files changed, 77 insertions(+), 4 deletions(-)

diff --git a/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py b/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py
index ec518ca7f..96c7a0324 100644
--- a/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py
+++ b/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py
@@ -21,10 +21,11 @@ from lib389._constants import (
     PASSWORD,
     PLUGIN_ACCT_POLICY,
 )
-from lib389.idm.user import (UserAccount, UserAccounts)
+from lib389.idm.user import (UserAccount)
 from lib389.plugins import (AccountPolicyPlugin, AccountPolicyConfig)
+from lib389.cos import (CosTemplate, CosPointerDefinition)
 from lib389.idm.domain import Domain
-from datetime import datetime, timedelta
+
 
 log = logging.getLogger(__name__)
 
@@ -131,9 +132,79 @@ def test_inactivty_and_expiration(topo):
         test_user.bind(NEW_PASSWORD)
 
 
+def test_alwaysrecordlogin_off(topo):
+    """Test the server does not crash when alwaysrecordlogin is "off"
+
+    :id: 49eb0993-ee59-48a9-8324-fb965b202ba9
+    :setup: Standalone Instance
+    :steps:
+        1. Create test user
+        2. Configure account policy, COS, and restart
+        3. Bind as test user
+    :expectedresults:
+        1. Success
+        2. Success
+        3. Success
+    """
+
+    LOCAL_POLICY = 'cn=Account Inactivation Policy,dc=example,dc=com'
+    TEMPL_COS = 'cn=TempltCoS,ou=people,dc=example,dc=com'
+    DEFIN_COS = 'cn=DefnCoS,ou=people,dc=example,dc=com'
+    TEST_USER_NAME = 'crash'
+    TEST_USER_DN = f'uid={TEST_USER_NAME},ou=people,{DEFAULT_SUFFIX}'
+
+    inst = topo.standalone
+
+    # Create the test user
+    test_user = UserAccount(inst, TEST_USER_DN)
+    test_user.create(properties={
+        'uid': TEST_USER_NAME,
+        'cn': TEST_USER_NAME,
+        'sn': TEST_USER_NAME,
+        'userPassword': PASSWORD,
+        'uidNumber': '1000',
+        'gidNumber': '2000',
+        'homeDirectory': '/home/crash',
+    })
+
+    # Configure account policy plugin
+    plugin = AccountPolicyPlugin(inst)
+    plugin.enable()
+    plugin.set('nsslapd-pluginarg0', ACCP_CONF)
+    accp = AccountPolicyConfig(inst, dn=ACCP_CONF)
+    accp.set('alwaysrecordlogin', 'no')
+    accp.set('stateattrname', 'lastLoginTime')
+    accp.set('altstateattrname', 'passwordexpirationtime')
+    accp.set('specattrname', 'acctPolicySubentry')
+    accp.set('limitattrname', 'accountInactivityLimit')
+    accp.set('accountInactivityLimit', '123456')
+    accp.set('checkAllStateAttrs', 'on')
+    inst.restart()
+    # Local policy
+    laccp = AccountPolicyConfig(inst, dn=LOCAL_POLICY)
+    laccp.create(properties={
+        'cn': 'Account Inactivation Policy',
+        'accountInactivityLimit': '12312321'
+    })
+    # COS
+    cos_template = CosTemplate(inst, dn=TEMPL_COS)
+    cos_template.create(properties={'cn': 'TempltCoS',
+                                    'acctPolicySubentry': LOCAL_POLICY})
+    cos_def = CosPointerDefinition(inst, dn=DEFIN_COS)
+    cos_def.create(properties={
+        'cn': 'DefnCoS',
+        'cosTemplateDn': TEMPL_COS,
+        'cosAttribute': 'acctPolicySubentry default operational-default'})
+    inst.restart()
+
+    # Bind as test user to make sure the server does not crash
+    conn = test_user.bind(PASSWORD)
+    test_user = UserAccount(conn, TEST_USER_DN)
+    test_user.bind(PASSWORD)
+
+
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main(["-s", CURRENT_FILE])
-
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index ba9705f74..220d0f6b2 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -372,7 +372,9 @@ acct_record_login(const char *dn)
                       "acct_record_login - Recorded %s=%s on \"%s\"\n", cfg->always_record_login_attr, timestr, dn);
 
         /* update login history */
-        acct_update_login_history(dn, timestr);
+        if (cfg->login_history_attr) {
+            acct_update_login_history(dn, timestr);
+        }
     }
 
 done:
-- 
2.48.1