Bug 2166425

Summary: Anonymous bind for password reset is broken after CVE-2022-0996
Product: Red Hat Enterprise Linux 7 Reporter: Chance Callahan <ccallaha>
Component: 389-ds-baseAssignee: Simon Pichugin <spichugi>
Status: CLOSED WORKSFORME QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: andrew.mcdonald, idm-ds-dev-bugs, mreynolds, spichugi, vashirov
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-30 15:59:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chance Callahan 2023-02-01 19:32:13 UTC 
Description of problem:

After the patch was released for CVE-2022-0996, anonymously binding to reset a password is broken.

Version-Release number of selected component (if applicable):

389-ds-base-1.3.10.2-16.el7_9.x86_64

How reproducible:

Customer is able to reproduce.

Actual results:

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user jdoe.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Anonymous Binds are not allowed.

Expected results:

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user jdoe.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Additional info:

Other associated logs on 389ds server:
---
[31/Jan/2023:16:01:50.153878056 +0000] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
[31/Jan/2023:16:01:50.154051469 +0000] - DEBUG - passwd_modify_extop - Received extended operation request with OID 1.3.6.1.4.1.4203.1.11.1
[31/Jan/2023:16:01:50.154084267 +0000] - DEBUG - passwd_modify_extop - Password Modify extended operation request confirmed.[31/Jan/2023:16:01:50.154110386 +0000] - DEBUG - passwd_modify_extop - Anonymous Binds are not allowed.
---

On the host:
---
(2023-01-31 18:14:47): [be[my.domain]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), password expired!
(2023-01-31 18:14:47): [be[my.domain]] [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation
(2023-01-31 18:14:47): [be[my.domain]] [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls.
(2023-01-31 18:14:47): [be[my.domain]] [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation result: Insufficient access(50), Anonymous Binds are not allowed.
---