Bug 1784657

Summary: Unlock user accounts after a password reset and replicate that unlock to all IdM servers
Product: Red Hat Enterprise Linux 8 Reporter: Greg Scott <gscott>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: amore, asanders, asn, dpal, fcami, ndehadra, pasik, pcech, rcritten, rharwood, ssidhaye, tbordaz, tscherf, twoerner
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: 8.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ipa-4.9.0-0.1.rc1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:47:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Greg Scott 2019-12-17 23:44:52 UTC 
Description of problem:

When resetting a password on a locked account. We need to go to each LDAP/IDM server and manually unlock the accounts. Resetting the password on a locked account should also unlock it on any LDAP/IDM servers that may be locked. Resetting the password and creating/deleting new accounts is replicated. Unlocking the account after a password reset should also replicate.


Version-Release number of selected component (if applicable):

RHEL 7, RHEL 8

How reproducible:
At will

Steps to Reproduce:
1. Reset the password on a locked user account.
2.
3.

Actual results:
Visit every single IdM server, find the servers where the account is locked, and unlock that account by hand.

Expected results:
Resetting a password should also unlock the account in all authentication servers in the domain.

Additional info:
Comment 13 Rob Crittenden 2020-10-21 21:24:51 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8551
Comment 16 Rob Crittenden 2020-11-18 21:17:10 UTC 
Fixed upstream
master:
3ab3578b36bc7b8ce777e38ba764649d1b684ce5
ca6fc689ba92ee2db6945f37429ee7fe8d75a4b6

ipa-4-8:
69b1a5fc04357d1771c527444e9ba064759afb65
015e2262766f8f5039b8781c5b43e26d1a9cf5a1
Comment 19 anuja 2020-12-09 08:52:33 UTC 
Using :
2020-12-09T08:12:29+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-09T08:12:29+0000   msg:
2020-12-09T08:12:29+0000   - arch: x86_64
2020-12-09T08:12:29+0000     epoch: null
2020-12-09T08:12:29+0000     name: ipa-server
2020-12-09T08:12:29+0000     release: 0.3.rc2.module+el8.4.0+9015+e4c6695a
2020-12-09T08:12:29+0000     source: rpm
2020-12-09T08:12:29+0000     version: 4.9.0

test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock PASSED [ 94%]

Test test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock is passing.
Attached the logs for the reference.
Marking verified:tested
Comment 22 anuja 2020-12-17 06:58:04 UTC 
Verified Using Version :
2020-12-17T06:03:07+0000   - arch: x86_64
2020-12-17T06:03:07+0000     epoch: null
2020-12-17T06:03:07+0000     name: ipa-server
2020-12-17T06:03:07+0000     release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-17T06:03:07+0000     source: rpm
2020-12-17T06:03:07+0000     version: 4.9.0
Adding test console logs:

test_integration/test_commands.py::TestIPACommand::test_aes_sha_kerberos_enctypes PASSED [  2%]
test_integration/test_commands.py::TestIPACommand::test_certmap_match_issue7520 PASSED [  5%]
test_integration/test_commands.py::TestIPACommand::test_cert_find_issue7520 PASSED [  8%]
test_integration/test_commands.py::TestIPACommand::test_add_permission_failure_issue5923 PASSED [ 11%]
test_integration/test_commands.py::TestIPACommand::test_change_sysaccount_password_issue7561 PASSED [ 14%]
test_integration/test_commands.py::TestIPACommand::test_ldapmodify_password_issue7601 PASSED [ 17%]
test_integration/test_commands.py::TestIPACommand::test_change_sysaccount_pwd_history_issue7181 PASSED [ 20%]
test_integration/test_commands.py::TestIPACommand::test_change_user_pwd_history_issue7181 PASSED [ 22%]
test_integration/test_commands.py::TestIPACommand::test_dm_change_user_pwd_history_issue7181 PASSED [ 25%]
test_integration/test_commands.py::TestIPACommand::test_huge_password PASSED [ 28%]
test_integration/test_commands.py::TestIPACommand::test_cleartext_password_httpd_log PASSED [ 31%]
test_integration/test_commands.py::TestIPACommand::test_change_selinuxusermaporder PASSED [ 34%]
test_integration/test_commands.py::TestIPACommand::test_ipa_console PASSED [ 37%]
test_integration/test_commands.py::TestIPACommand::test_list_help_topics PASSED [ 40%]
test_integration/test_commands.py::TestIPACommand::test_ssh_key_connection PASSED [ 42%]
test_integration/test_commands.py::TestIPACommand::test_ssh_leak PASSED  [ 45%]
test_integration/test_commands.py::TestIPACommand::test_certificate_out_write_to_file PASSED [ 48%]
test_integration/test_commands.py::TestIPACommand::test_sssd_ifp_access_ipaapi PASSED [ 51%]
test_integration/test_commands.py::TestIPACommand::test_ipa_cacert_manage_install PASSED [ 54%]
test_integration/test_commands.py::TestIPACommand::test_hbac_systemd_user PASSED [ 57%]
test_integration/test_commands.py::TestIPACommand::test_config_show_configured_services PASSED [ 60%]
test_integration/test_commands.py::TestIPACommand::test_ssh_from_controller PASSED [ 62%]
test_integration/test_commands.py::TestIPACommand::test_user_mod_change_capitalization_issue5879 PASSED [ 65%]
test_integration/test_commands.py::TestIPACommand::test_enabled_tls_protocols PASSED [ 68%]
test_integration/test_commands.py::TestIPACommand::test_sss_ssh_authorizedkeys PASSED [ 71%]
test_integration/test_commands.py::TestIPACommand::test_cacert_manage PASSED [ 74%]
test_integration/test_commands.py::TestIPACommand::test_ipa_adtrust_install_with_locale_issue8066 PASSED [ 77%]
test_integration/test_commands.py::TestIPACommand::test_login_wrong_password PASSED [ 80%]
test_integration/test_commands.py::TestIPACommand::test_ipa_nis_manage_enable PASSED [ 82%]
test_integration/test_commands.py::TestIPACommand::test_ipa_nis_manage_disable PASSED [ 85%]
test_integration/test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password PASSED [ 88%]
test_integration/test_commands.py::TestIPACommand::test_pkispawn_log_is_present PASSED [ 91%]
test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock PASSED [ 94%]
test_integration/test_commands.py::TestIPACommand::test_certupdate_no_schema PASSED [ 97%]


Test test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock is passing.
Based on this marking verified.
Comment 25 errata-xmlrpc 2021-05-18 15:47:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846