Bug 2218132

Summary: Satellite LDAP Authentication with AD does not allow bind password over 60 characters
Product: Red Hat Satellite Reporter: Lukáš Hellebrandt <lhellebr>
Component: LDAPAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DEFERRED QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.14.0CC: aruzicka, rlavi
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-05 12:25:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Hellebrandt 2023-06-28 09:33:35 UTC 
Description of problem:
After fixing bug 2077081, the LDAP password limit is now not 60, but 69 characters. There should be no limit.

Version-Release number of selected component (if applicable):
Sat 6.14

How reproducible:
Deterministic

Steps to Reproduce:
Create users in Active Directory: qwerty (with 78 characters password), qwerty66 (with 66 characters password), qwerty69 (with 69 characters password).
Attempt to use these users as the bind users for LDAP auth source. This is not about logging in as those users, rather as using those users to login to the AD itself to verify a user being logged in.
1) In WebUI: Administration -> Authentication Sources -> LDAP -> Create
2) On the first tab fill in the necessary data, select Active Directory as type (make sure you have the right cert for LDAPS, use update-ca-trust workflow)
3) On the second tab, use login <DOMAIN>\<user>, in my case: AD2019\qwerty and fill in the rest
4) On the third tab, I had to set login mapping from uid to cn
5) Submit
=> Failure, second tab's Password field marked red with text "is too long (maximum is 69 characters)".
6) Repeat 3,4,5 for users qwerty66 and qwerty69
=> OK
7) Attempt to set 70-characters password
=> Failure as above
8) Finally, Submit with some account that works, I used qwerty69
9) Logout
10) Login using any <user>, I used qwerty66
=> OK
11) In hammer:
 hammer auth-source ldap update --id <id> --account-password <password_of_qwerty_user>
Could not update the Auth Source:
  Account password is too long (maximum is 69 characters)
=> OK

Actual results:
Password with length 70 or more can't be used for binding an LDAP user in auth source

Expected results:
Any password should be permitted
Comment 1 Adam Ruzicka 2023-10-05 12:25:20 UTC 
This is a valid bug. However, the fix would need to land in a third party library (net-ldap), where we don't have any permissions and where we don't know the codebase at all so it would be somewhat larger time investment. There are also no customer cases attached - the only customer I'm aware of that complained about this issue was satisfied with 64 characters. With that being said, I'll go ahead and close this one since we do not believe it will be fixed in the next multiple releases due to the priority of this bug as compared to others. If this is a large impact on you, please feel free to re-open it and provide additional information to help us better prioritize it.