Bug 2139467

Summary: [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
Product: Red Hat Enterprise Linux 8 Reporter: Anton Bobrov <abobrov>
Component: sssdAssignee: Sumit Bose <sbose>
Status: VERIFIED --- QA Contact: Anuj Borah <aborah>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: aboscatt, atikhono, chorn, oliver, pbrezina, pkettman, sbose, sgadekar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.9.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anton Bobrov 2022-11-02 15:57:25 UTC 
Description of problem:

When LDAP password expires and account is locked without grace as per LDAP password policy SSSD would erroneously attempt LDAP password modify extended operation on a connection where BIND operation has previously failed (due to described password policy state).

(2022-11-01 12:13:33): [be[test.com]] [simple_bind_send] (0x0100): [RID#54262] Executing simple bind as: uid=ipresovs,ou=people,dc=test,dc=com
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password Policy Response: expire [-1] grace [-1] error [Password expired].
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password expired user must set a new password.
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password expired user must set a new password.
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x0400): [RID#54262] Bind result: Invalid credentials(49), password expired!
(2022-11-01 12:13:33): [be[test.com]] [sdap_pam_chpass_handler_auth_done] (0x1000): [RID#54262] user [uid=ipresovs,ou=people,dc=test,dc=com] successfully authenticated.
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_send] (0x0100): [RID#54262] Executing extended operation
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_done] (0x0200): [RID#54262] Server returned no controls.
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_done] (0x0080): [RID#54262] ldap_extended_operation result: Insufficient access(50), Anonymous Binds are not allowed.

Version-Release number of selected component (if applicable):

sssd-2.6.2-4.el8_6.1.x86_64

Expected results:

SSSD should not try LDAP password modify extended operation after BIND failure because it is essentially issuing that operation as anonymous LDAP user.

It should instead provide a meaningful error message indicating that the password is expired and account is locked and needs to be reset by a privileged LDAP user.
Comment 5 Alexey Tikhonov 2023-06-07 16:04:43 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6769
Comment 6 Alexey Tikhonov 2023-06-19 18:43:24 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6769

* `master`
    * d99aa97dae7236fd056e21ea3d48997edf1b9823 - ldap: return failure if there are no grace logins left
* `sssd-2-9`
    * 895d194f3869ee7fa633fca51163afd2cea513c7 - ldap: return failure if there are no grace logins left