RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords
Summary: [RFE] Make it possible for privileges to be provided to an admin user to impo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 1149547
TreeView+ depends on / blocked
 
Reported: 2014-07-09 20:14 UTC by Noriko Hosoi
Modified: 2020-09-13 20:17 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Enhancement
Doc Text:
Feature: It used to be only Directory Manager could add encoded passwords, or force a user to change their password after a reset. Password Policy is extended to include "passwordAdminDN". This attribute contains a DN of a user or a group. If a password policy object contains passwordAdminDN, then the accounts specified by the attribute are also allowed to add encoded passwords or force to change their password after a reset. For more details, see also: http://www.port389.org/docs/389ds/design/password-administrator.html
Clone Of:
Environment:
Last Closed: 2015-03-05 09:35:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 458 0 None None None 2020-09-13 20:17:32 UTC
Red Hat Product Errata RHSA-2015:0416 0 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-07-09 20:14:02 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/458

https://bugzilla.redhat.com/show_bug.cgi?id=856577 (''Red Hat Directory Server'')

{{{
3. What is the nature and description of the request?

For automated password reset procedures the hashed password has to be imported
via ldif file into LDAP server. If password syntax check is enabled only the
cn=directory manager is allowed to do it. but due to permission separation the
import user should only have access to a certain tree in LDAP.


4. Why does the customer need this? (List the business requirements here)

To support the following scenario:
a) A password reset is triggered from another server.
b) No interactive access is granted to the support personnel. They have to
create an ldif file which is loaded into LDAP.
c) LDAP is also used for the authentication of non-user sessions and all
changes have to be done via ldif files.
d) Due to security restrictions only hashed passwords are allowed in ldif
files.


5. How would the customer like to achieve this? (List the functional
requirements here)

Add a special role for the admin user of LDAP subtree which allows them to
bypass the hashed password check when loading an ldif file with hashed
passwords.


6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.

a) setup LDAP subtree
b) create admin user
c) activate password sytax check on subtree
d) import ldif file with hashed passord by admin user -> should fail
e) add special role to admin user
d) import ldif file with hashed passord by admin user -> should work


7. Is there already an existing RFE upstream or in Red Hat bugzilla?

Bug 843576, "RFE - forcing passwordmustchange attribute by non-cn=directory
manager" / upstream <https://fedorahosted.org/389/ticket/417> is in a closely
related are; perhaps this RFE can be merged with it.


8. Does the customer have any specific timeline dependencies?

No.


9. Is the sales team involved in this request and do they have any additional
input?

The sales team is actively involved in this account, but not in this request
specifically.


10. List any affected packages or components.

389-ds-base


11. Would the customer be able to assist in testing this functionality if
implemented?

Yes.
}}}
Comment 3 Amita Sharma 2014-11-10 12:37:03 UTC 
I will refer design doc 
http://www.port389.org/docs/389ds/design/password-administrator.html

and steps ::
a) setup LDAP subtree
b) create admin user
c) activate password sytax check on subtree
d) import ldif file with hashed passord by admin user -> should fail
e) add special role to admin user
d) import ldif file with hashed passord by admin user -> should work

Removing needinfo flag.
Comment 4 Amita Sharma 2014-11-21 11:21:02 UTC 
Using normal user
====================
[root@dhcp201-126 slapd-dhcp201-126]# ldapmodify -h localhost -p 389 -D "uid=test1,dc=example,dc=com" -w Secret123 -a -f /export/users.ldif
adding new entry "uid=sghai,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: invalid password syntax - passwords with storage scheme are not allowed

Using password admin user
==============================
[root@dhcp201-126 slapd-dhcp201-126]# ldapmodify -h localhost -p 389 -D "uid=ami,dc=example,dc=com" -w Secret123 -a -f /export/users.ldif
adding new entry "uid=sghai,dc=example,dc=com"

adding new entry "uid=sghai1,dc=example,dc=com"

adding new entry "uid=sghai2,dc=example,dc=com"

adding new entry "uid=sghai3,dc=example,dc=com"

adding new entry "uid=sghai4,dc=example,dc=com"

adding new entry "uid=sghai5,dc=example,dc=com"

[root@dhcp201-126 slapd-dhcp201-126]# cat /export/users.ldif
# entry-id: 10
dn: uid=sghai,dc=example,dc=com
cn: sghai
sn: sghai
givenName: sghai
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: sghai
mail: sghai
userPassword:: e1NTSEF9Ty9EZVdmdlIzU0JNOEUybVl3S2o4TG9zUG1XTGhqeGFyRks0OWc9PQ=
 =
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141120130928Z
modifyTimestamp: 20141120130928Z
nsUniqueId: 6e02e684-70b611e4-b9bd8042-4ccbdcdd
.
.
.
.

Hence Verified.
Comment 6 errata-xmlrpc 2015-03-05 09:35:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html
Note You need to log in before you can comment on or make changes to this bug.