Bug 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords
Summary: [RFE] Make it possible for privileges to be provided to an admin user to impo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 1149547
TreeView+ depends on / blocked
 
Reported: 2014-07-09 20:14 UTC by Noriko Hosoi
Modified: 2015-08-26 15:28 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-1.el7
Doc Type: Enhancement
Doc Text:
Feature: It used to be only Directory Manager could add encoded passwords, or force a user to change their password after a reset. Password Policy is extended to include "passwordAdminDN". This attribute contains a DN of a user or a group. If a password policy object contains passwordAdminDN, then the accounts specified by the attribute are also allowed to add encoded passwords or force to change their password after a reset. For more details, see also: http://www.port389.org/docs/389ds/design/password-administrator.html
Clone Of:
Environment:
Last Closed: 2015-03-05 09:35:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-07-09 20:14:02 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/458

https://bugzilla.redhat.com/show_bug.cgi?id=856577 (''Red Hat Directory Server'')

{{{
3. What is the nature and description of the request?

For automated password reset procedures the hashed password has to be imported
via ldif file into LDAP server. If password syntax check is enabled only the
cn=directory manager is allowed to do it. but due to permission separation the
import user should only have access to a certain tree in LDAP.


4. Why does the customer need this? (List the business requirements here)

To support the following scenario:
a) A password reset is triggered from another server.
b) No interactive access is granted to the support personnel. They have to
create an ldif file which is loaded into LDAP.
c) LDAP is also used for the authentication of non-user sessions and all
changes have to be done via ldif files.
d) Due to security restrictions only hashed passwords are allowed in ldif
files.


5. How would the customer like to achieve this? (List the functional
requirements here)

Add a special role for the admin user of LDAP subtree which allows them to
bypass the hashed password check when loading an ldif file with hashed
passwords.


6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.

a) setup LDAP subtree
b) create admin user
c) activate password sytax check on subtree
d) import ldif file with hashed passord by admin user -> should fail
e) add special role to admin user
d) import ldif file with hashed passord by admin user -> should work


7. Is there already an existing RFE upstream or in Red Hat bugzilla?

Bug 843576, "RFE - forcing passwordmustchange attribute by non-cn=directory
manager" / upstream <https://fedorahosted.org/389/ticket/417> is in a closely
related are; perhaps this RFE can be merged with it.


8. Does the customer have any specific timeline dependencies?

No.


9. Is the sales team involved in this request and do they have any additional
input?

The sales team is actively involved in this account, but not in this request
specifically.


10. List any affected packages or components.

389-ds-base


11. Would the customer be able to assist in testing this functionality if
implemented?

Yes.
}}}

Comment 3 Amita Sharma 2014-11-10 12:37:03 UTC
I will refer design doc 
http://www.port389.org/docs/389ds/design/password-administrator.html

and steps ::
a) setup LDAP subtree
b) create admin user
c) activate password sytax check on subtree
d) import ldif file with hashed passord by admin user -> should fail
e) add special role to admin user
d) import ldif file with hashed passord by admin user -> should work

Removing needinfo flag.

Comment 4 Amita Sharma 2014-11-21 11:21:02 UTC
Using normal user
====================
[root@dhcp201-126 slapd-dhcp201-126]# ldapmodify -h localhost -p 389 -D "uid=test1,dc=example,dc=com" -w Secret123 -a -f /export/users.ldif
adding new entry "uid=sghai,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: invalid password syntax - passwords with storage scheme are not allowed

Using password admin user
==============================
[root@dhcp201-126 slapd-dhcp201-126]# ldapmodify -h localhost -p 389 -D "uid=ami,dc=example,dc=com" -w Secret123 -a -f /export/users.ldif
adding new entry "uid=sghai,dc=example,dc=com"

adding new entry "uid=sghai1,dc=example,dc=com"

adding new entry "uid=sghai2,dc=example,dc=com"

adding new entry "uid=sghai3,dc=example,dc=com"

adding new entry "uid=sghai4,dc=example,dc=com"

adding new entry "uid=sghai5,dc=example,dc=com"

[root@dhcp201-126 slapd-dhcp201-126]# cat /export/users.ldif
# entry-id: 10
dn: uid=sghai,dc=example,dc=com
cn: sghai
sn: sghai
givenName: sghai
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: sghai
mail: sghai@example.com
userPassword:: e1NTSEF9Ty9EZVdmdlIzU0JNOEUybVl3S2o4TG9zUG1XTGhqeGFyRks0OWc9PQ=
 =
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141120130928Z
modifyTimestamp: 20141120130928Z
nsUniqueId: 6e02e684-70b611e4-b9bd8042-4ccbdcdd
.
.
.
.

Hence Verified.

Comment 6 errata-xmlrpc 2015-03-05 09:35:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.