Bug 712109

Question: does the password actually get set properly and work?

(In reply to comment #3)
> Question: does the password actually get set properly and work?

Yes. 

-sh-4.1$ sudo -l
LDAP Config Summary
===================
uri              ldap://bumblebee.lab.eng.pnq.redhat.com/
uri              ldap://bumblebee.lab.eng.pnq.redhat.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
binddn           uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
bindpw           Secret_123
bind_timelimit   5000
timelimit        15
ssl              no
tls_checkpeer    (yes)
tls_cacertfile   /etc/ipa/ca.crt
tls_cacertdir    /etc/ipa
===================
sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com/ ldap://bumblebee.lab.eng.pnq.redhat.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacertdir -> /etc/ipa
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_sasl_bind_s() ok
[...]

Fixed upstream:

ipa-4-2:
d5180ee973c4e9f30ec64fd2c1237f33d00af918 Return default TL_DATA is krbExtraData is missing
fec0f4621bd21c9a0f2f6cda11ade96271a10f5a FIX: ipa_kdb_principals: add missing break statement

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Still seeing error on ipa-server-4.4.0-9.el7:

[root@auto-hv-01-guest02 ~]# cat /var/log/dirsrv/slapd-TESTRELM-TEST/errors | grep krbExtraData
[root@auto-hv-01-guest02 ~]# 
[root@auto-hv-01-guest02 ~]# LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h auto-hv-01-guest02.testrelm.test -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=test
New password: 
Re-enter new password: 
Enter LDAP Password: 
[root@auto-hv-01-guest02 ~]# cat /var/log/dirsrv/slapd-TESTRELM-TEST/errors | grep krbExtraData[18/Sep/2016:15:16:35.175406274 -0400] Entry "uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=test" -- attribute "krbExtraData" not allowed

The issue probably seems to be in the ipa-pwd-extop plugin itself as it seems that it tries to set 'krbExtraData' unconditionally regardless of whether the target DN belongs to Kerberos principal or not (see [1]):

I was able to produce a simple patch to silence this error but I will need to do some more testing to be sure it does not break anything else.

[1] https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c#n598

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6362

RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving to RHEL 8 the Bugs which were already triaged, but to which we did not commit (without devel_ack) and we cannot keep them even as a stretch goal for RHEL-7.7.

If you believe this particular bug should be reconsidered for 7.7, please let us know.

This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding.
Red Hat Enterprise Linux Identity Management Team