Bug 1104074
| Summary: | [AAA] RHEVM does not sync automatically IPA user password incase of password change | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | pagupta |
| Component: | ovirt-engine-extension-aaa-ldap | Assignee: | Alon Bar-Lev <alonbl> |
| Status: | CLOSED ERRATA | QA Contact: | Ondra Machacek <omachace> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.3.0 | CC: | alonbl, bazulay, iheim, lpeer, oourfali, pagupta, rbalakri, Rhev-m-bugs, sherold, yeylon, yzaslavs |
| Target Milestone: | --- | ||
| Target Release: | 3.5.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | infra | ||
| Fixed In Version: | ovirt-engine-3.5.0_rc1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-02-11 18:12:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1063095, 1142923, 1156165 | ||
|
Description
pagupta
2014-06-03 08:52:16 UTC
in 3.4 you can set using manage-domains a URL to change the password in case expired but i understand this is not exactly the case here. In addition we currently don't support that, Alon - what are your thoughts here? The new LDAP provider will encourage not using kerberos as authentication phase, hence this problem will not exist. This bug will not happen if we use ldap bind in order to authenticate, I am closing this as part of the new ldap implementation. (In reply to Alon Bar-Lev from comment #8) > This bug will not happen if we use ldap bind in order to authenticate, I am > closing this as part of the new ldap implementation. if I understand this bz correctly, it's about changing password in runtime, without engine restart. When using ldap bind, the old password from config is still used. How can ldap bind help here? User still have to change password and restart engine. (In reply to Ondra Machacek from comment #10) > (In reply to Alon Bar-Lev from comment #8) > > This bug will not happen if we use ldap bind in order to authenticate, I am > > closing this as part of the new ldap implementation. > > if I understand this bz correctly, it's about changing password in runtime, > without engine restart. > > When using ldap bind, the old password from config is still used. > How can ldap bind help here? User still have to change password and restart > engine. as far as I understand the bug is about the end-user password, not the search user. But for such use case is sign-out / sign-in with new password enough. (In reply to Ondra Machacek from comment #12) > But for such use case is sign-out / sign-in with new password enough. right. in the past (3.3) the user that used for search was the user that used for login, so I suspect something was wrong in this regard. in >=3.4 and especially with the new ldap provider (as it does not use kerberos at all) this will not happen. Hi Pankaj, is this bugzilla about search user or end user? Thanks. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0174.html |