1084304 – [RFE] Support IdM user password change operation in the compat tree

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1084304 - [RFE] Support IdM user password change operation in the compat tree

Summary: [RFE] Support IdM user password change operation in the compat tree

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	slapi-nis
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Alexander Bokovoy
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1084018
TreeView+	depends on / blocked

Reported:	2014-04-04 06:40 UTC by Martin Kosek
Modified:	2016-11-04 07:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	slapi-nis-0.56.0-3.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 07:04:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2471	0	normal	SHIPPED_LIVE	slapi-nis bug fix and enhancement update	2016-11-03 14:07:19 UTC

Description Martin Kosek 2014-04-04 06:40:48 UTC

Description of problem:

FreeIPA uses slapi-nis compat tree so that the legacy hosts (without recent SSSD) can be configured to use LDAP authentication to authenticate IPA or AD users from trusted AD domains:

http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts

Password change should work both for IPA clients and AD clients. As we have enough attributes in the synthesized entry to distinguish IPA user from an AD user, we can try to add password modify callback that uses PAM stack. It doesn't need pam_passthru.

Upstream ticket:
https://fedorahosted.org/slapi-nis/ticket/4

Comment 2 RHEL Program Management 2014-04-12 05:47:30 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 5 Alexander Bokovoy 2016-07-21 12:37:16 UTC

This bug is fixed in slapi-nis 0.56.0. The rebase to slapi-nis 0.56.0 is tracked with bug #1292148.

Comment 6 Martin Kosek 2016-07-21 13:26:01 UTC

Alexander, while you are right that this will be delivered with the rebase, it is an RFE that needs to go through the full Bug life-cycle, including a QE verification.

Moving to MODIFIED.

Comment 10 Sudhir Menon 2016-08-17 18:42:37 UTC

Tested on RHEL7.3 using 

ipa-server-4.4.0-7.el7.x86_64
sssd-1.14.0-18.el7.x86_64

1. Without password set for ipa user
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
ldap_bind: Inappropriate authentication (48)

2. With password set and user disabled in IPA
[root@ipaserver abrt]# ipa passwd john
New Password: 
Enter New Password again to verify: 
--------------------------------------
Changed password for "john"

[root@ipaserver abrt]# ipa user-disable john
----------------------------
Disabled user account "john"
----------------------------
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
ldap_bind: Server is unwilling to perform (53)
additional info: Account inactivated. Contact system administrator.

3. Change admin password for IPA
[root@ipaserver abrt]# ldappasswd -D uid=admin,cn=users,cn=compat,dc=redlabs,dc=qe -W -s **** -a ****
Enter LDAP Password: 
Result: Success (0)

3.a Trying to change password immediately for admin user
[root@ipaserver abrt]# ldappasswd -D uid=admin,cn=users,cn=compat,dc=redlabs,dc=qe -W -a Secret123 -s Direct123 -vvv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Too soon to change password
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MIQAAAADgQEH
ppolicy: error=7 (Password has been changed too recently)

4. Invalid ipa user
[root@ipaserver abrt]# ldappasswd -D uid=joe,cn=users,cn=compat,dc=redlabs,dc=qe -W 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

5. valid ipa user
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W -a test_123 -s test_123 -vv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Success (0)

5.a Change password immediately for ipa user.
[root@ipaserver abrt]# ldappasswd -D uid=john,cn=users,cn=compat,dc=redlabs,dc=qe -W -a test_123 -s test_123 -vvv
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Too soon to change password
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MIQAAAADgQEH
ppolicy: error=7 (Password has been changed too recently)

6. With Ad trusted user.
[root@ipaserver abrt]# ldapsearch -x -LLL '(&(objectclass=posixaccount)(uid=sudhir))'
dn: uid=sudhir,cn=users,cn=compat,dc=redlabs,dc=qe
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: sudhir
gidNumber: 558001482
gecos: sudhir
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0zOTEyNzE5NTIxLTE5Njc1OTAzNjAtMTEzNjIyNjUyNC
 0xNDgy
uidNumber: 558001482
homeDirectory: /home/pne.qe/sudhir
uid: sudhir

[root@ipaserver abrt]# ldappasswd -D uid=sudhir,cn=users,cn=compat,dc=redlabs,dc=qe -W
Enter LDAP Password: 
Result: Server is unwilling to perform (53)
Additional info: PasswdModify Request empty.

Note: ldappasswd changes for AD users is not supported.

Comment 12 errata-xmlrpc 2016-11-04 07:04:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2471.html

Note You need to log in before you can comment on or make changes to this bug.