Bug 1084304

Summary: [RFE] Support IdM user password change operation in the compat tree
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: slapi-nisAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, enewland, ksiddiqu, nalin, sumenon
Target Milestone: rcKeywords: FutureFeature, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: slapi-nis-0.56.0-3.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:04:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1084018    

Description Martin Kosek 2014-04-04 06:40:48 UTC 
Description of problem:

FreeIPA uses slapi-nis compat tree so that the legacy hosts (without recent SSSD) can be configured to use LDAP authentication to authenticate IPA or AD users from trusted AD domains:

​http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts

Password change should work both for IPA clients and AD clients. As we have enough attributes in the synthesized entry to distinguish IPA user from an AD user, we can try to add password modify callback that uses PAM stack. It doesn't need pam_passthru.

Upstream ticket:
https://fedorahosted.org/slapi-nis/ticket/4
Comment 2 RHEL Program Management 2014-04-12 05:47:30 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 5 Alexander Bokovoy 2016-07-21 12:37:16 UTC 
This bug is fixed in slapi-nis 0.56.0. The rebase to slapi-nis 0.56.0 is tracked with bug #1292148.
Comment 6 Martin Kosek 2016-07-21 13:26:01 UTC 
Alexander, while you are right that this will be delivered with the rebase, it is an RFE that needs to go through the full Bug life-cycle, including a QE verification.

Moving to MODIFIED.
Comment 10 Sudhir Menon 2016-08-17 18:42:37 UTC 
Tested on RHEL7.3 using 

ipa-server-4.4.0-7.el7.x86_64
sssd-1.14.0-18.el7.x86_64

1. Without password set for ipa user
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
ldap_bind: Inappropriate authentication (48)

2. With password set and user disabled in IPA
[root@ipaserver abrt]# ipa passwd john
New Password: 
Enter New Password again to verify: 
--------------------------------------
Changed password for "john"

[root@ipaserver abrt]# ipa user-disable john
----------------------------
Disabled user account "john"
----------------------------
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
ldap_bind: Server is unwilling to perform (53)
additional info: Account inactivated. Contact system administrator.

3. Change admin password for IPA
[root@ipaserver abrt]# ldappasswd -D uid=admin,cn=users,cn=compat,dc=redlabs,dc=qe -W -s **** -a ****
Enter LDAP Password: 
Result: Success (0)

3.a Trying to change password immediately for admin user
[root@ipaserver abrt]# ldappasswd -D uid=admin,cn=users,cn=compat,dc=redlabs,dc=qe -W -a Secret123 -s Direct123 -vvv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Too soon to change password
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MIQAAAADgQEH
ppolicy: error=7 (Password has been changed too recently)

4. Invalid ipa user
[root@ipaserver abrt]# ldappasswd -D uid=joe,cn=users,cn=compat,dc=redlabs,dc=qe -W 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

5. valid ipa user
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W -a test_123 -s test_123 -vv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Success (0)

5.a Change password immediately for ipa user.
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W -a test_123 -s test_123 -vvv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Too soon to change password
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MIQAAAADgQEH
ppolicy: error=7 (Password has been changed too recently)

6. With Ad trusted user.
[root@ipaserver abrt]# ldapsearch -x -LLL '(&(objectclass=posixaccount)(uid=sudhir))'
dn: uid=sudhir,cn=users,cn=compat,dc=redlabs,dc=qe
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: sudhir
gidNumber: 558001482
gecos: sudhir
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0zOTEyNzE5NTIxLTE5Njc1OTAzNjAtMTEzNjIyNjUyNC
 0xNDgy
uidNumber: 558001482
homeDirectory: /home/pne.qe/sudhir
uid: sudhir

[root@ipaserver abrt]# ldappasswd -D uid=sudhir,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
Result: Server is unwilling to perform (53)
Additional info: PasswdModify Request empty.

Note: ldappasswd changes for AD users is not supported.
Comment 12 errata-xmlrpc 2016-11-04 07:04:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2471.html