Bug 2216872

Summary: User authentication failing on OTP validation using multiple tokens, succeeds with password only
Product: Red Hat Enterprise Linux 9 Reporter: Marco Rhodes <mrhodes>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: VERIFIED --- QA Contact: anuja <amore>
Severity: high Docs Contact:
Priority: urgent    
Version: 9.1CC: amore, dshaikh, gkaihoro, jobuckle, jverreng, mjurasek, msauton, rcritten, tmihinto, tscherf, vvanhaft
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.10.2-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2218293 2223556 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2218293, 2223556    

Comment 1 Florence Blanc-Renaud 2023-06-26 15:49:51 UTC 
The issue can be reproduced with s390x arch but not with x86_64.

The ipa-pwd-extop plugin exits too early, considering that it should not handle the operation. The relevant code is in https://github.com/freeipa/freeipa/blob/f1ed46eb93bcb5bc87783dc3daad72faffc7c6af/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c#L1448-L1458:
----- 8< -----
    ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn);
    ret |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
    ret |= slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &credentials);
    if (ret) {
        LOG_FATAL("slapi_pblock_get failed!?\n");
        return 0;
    }


    /* We're only interested in simple authentication. */
    if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
        return 0;                                                              <<< Early exit

    ...
    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))      <<< Processing of OTP bind
        goto invalid_creds;

----- 8< -----

With a 390x arch, the debugger shows that method = 0, which makes the plugin exit early without processing the OTP part.
With a x86_64 arch, the debugger shows that method = 128, which corresponds to LDAP_AUTH_SIMPLE - defined in /usr/include/ldap.h:
#define LDAP_AUTH_SIMPLE ((ber_tag_t) 0x80U) /* context specific + primitive */
Comment 2 Florence Blanc-Renaud 2023-06-26 16:10:32 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/9402
Comment 4 Marc Sauton 2023-06-27 13:59:15 UTC 
is this similar to an older issue with
https://github.com/python-ldap/python-ldap/pull/416
https://bugzilla.redhat.com/show_bug.cgi?id=1931865#c68
?
Comment 5 Florence Blanc-Renaud 2023-06-27 14:07:05 UTC 
(In reply to Marc Sauton from comment #4)
> is this similar to an older issue with
> https://github.com/python-ldap/python-ldap/pull/416
> Partnerhttps://bugzilla.redhat.com/show_bug.cgi?id=1931865#c68
> ?

It's similar in the fact that casting a ber_tag_t or ber_len_t to an int on s390x would produces unwanted result. But the issue was in a different part of the code.
Comment 6 Florence Blanc-Renaud 2023-06-28 15:30:56 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7060e3a031fb4e4cdf85f616f1e1a3435d61e696
Comment 8 Rob Crittenden 2023-06-28 19:43:53 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/631dd72369385b0793e5bc0e019c088b4f1e2bb3

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/a7e167154b889f75463ccc9cd91a75c1afb22da9
Comment 10 anuja 2023-07-04 12:47:13 UTC 
Test results without fix:
Using : ipa-server-4.10.2-1.el9.s390x

....
2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test002
2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test003
2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test004
2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test013
2023-07-04T12:40:11+0000 ====== 4 failed, 29 passed, 25 xfailed, 10 warnings in 685.95s (0:11:25) =======

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Test results with test compose:
Using :ipa-server-4.10.2-2.el9.s390x
2023-07-04T10:17:36+0000 =========================== short test summary info ============================
2023-07-04T10:17:36+0000 PASSED src/otp/test_0002_radius_master_tests.py::TestRadiusfunction::test_radius_0001
...
...
...
2023-07-04T10:17:36+0000 PASSED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test016
2023-07-04T10:17:36+0000 XFAIL src/otp/test_0001_otp_master_tests.py::TestOTPfunction::test_otp_0001
...
...
2023-07-04T10:17:36+0000 XFAIL src/otp/test_0001_otp_master_tests.py::TestOTPfunction::test_otp_0047
2023-07-04T10:17:36+0000   reason: oathtool package installation failed, check repo links for further debugging
2023-07-04T10:17:36+0000 =========== 33 passed, 25 xfailed, 10 warnings in 745.46s (0:12:25) ============


Based on this marking bug as verified tested.
Comment 18 anuja 2023-07-11 17:23:58 UTC 
Verified using nightly build
ipa-server-4.10.2-2.el9.s390x

Test result:
...
...
2023-07-11T10:20:45+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test002 PASSED [ 75%]
2023-07-11T10:21:17+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test003 PASSED [ 77%]
2023-07-11T10:21:44+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test004 PASSED [ 79%]
...
...
2023-07-11T10:22:45+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test013 PASSED [ 94%]
2023-07-11T10:22:46+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test014 PASSED [ 96%]
2023-07-11T10:22:46+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test015 PASSED [ 98%]
2023-07-11T10:22:47+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test016 PASSED [100%]
2023-07-11T10:22:47+0000 =========== 33 passed, 25 xfailed, 10 warnings in 709.79s (0:11:49) ============
2023-07-11T10:22:49+0000 AVC not found
2023-07-11T10:22:49+0000 AVC not found
2023-07-11T10:22:49+0000 RETURN CODE: 0