Bug 471287

Summary: password plugin can't handle entries without kerberos
Product: [Retired] freeIPA Reporter: Rob Crittenden <rcritten>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2CC: benl, dpal, jgalipea
Target Milestone: v2 release   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:29:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020    
Attachments:
Description Flags
Don't require kerberos attrs on all password changes none

Description Rob Crittenden 2008-11-12 20:36:37 UTC 
The password extop plugin requires that the entry have kerberos credentials (and/or objectclass I suppose) in order to reset a password using ldappasswd.

If you have an entry like this:

dn: uid=passsync,cn=sysaccounts,cn=etc,dc=greyoak,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: passsync
userPassword::XXXXXX...

If fails if you do:

%ldappasswd -v -Y GSSAPI -S uid=passsync,cn=sysaccounts,cn=etc,dc=greyoak,dc=com
New password: 
Re-enter new password: 
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
Result: Operations error (1)
Additional info: Failed to update password

DS logs:

[12/Nov/2008:15:34:36 -0500] ipa_pwd_extop - no krbPrincipalName present in this entry
[12/Nov/2008:15:34:36 -0500] ipa_pwd_extop - key encryption/encoding failed
Comment 1 Simo Sorce 2008-11-18 22:32:15 UTC 
Temporary workaround is to use ldapmodify and change the userPassword attribute.
Comment 3 Rob Crittenden 2010-04-23 15:38:59 UTC 
Created attachment 408651 [details]
Don't require kerberos attrs on all password changes
Comment 4 Rob Crittenden 2010-04-23 19:23:14 UTC 
master: ba85312bf1304d20f4199038bcf4a3f900dad7cf