Bug 1245445 - Can't login without user changed password
Summary: Can't login without user changed password
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipsilon
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Patrick Uiterwijk
QA Contact: Namita Soman
Depends On:
TreeView+ depends on / blocked
Reported: 2015-07-22 06:09 UTC by Jamie Lennox
Modified: 2016-02-16 22:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-02-16 22:40:06 UTC
Target Upstream Version:

Attachments (Terms of Use)
http error log (648.35 KB, text/plain)
2015-10-14 19:33 UTC, Scott Poore
no flags Details

Description Jamie Lennox 2015-07-22 06:09:51 UTC
If as admin I create a new user in FreeIPA when i first login i get asked to change my password. In IPA this works fine, as you get prompted to change, in ipsilon you get the cryptic message: 

401 - Unauthorized

No permission -- see authorization schemes

If ipsilon is unable to do IPA user password changes is there a way we can at least better identify the error?

Comment 2 Rob Crittenden 2015-07-22 12:49:15 UTC
Upstream ticket:

Comment 4 Scott Poore 2015-10-14 19:14:10 UTC
Failing this one.  If I connect to the IdP with new user with expired password, I see the new error message. 

However, if I connect to SP, I do not.  I see the same error message from comment #1.

Comment 5 Rob Crittenden 2015-10-14 19:30:09 UTC
Moving to 7.3. This is an enhancement.

I can see the error "Password is expired" on the IdP then it looks like Ipsilon sends back a 303 and the client responds with an empty SAML login request.

Ipsilon then logs "saml2: User is marked anonymous?!" and returns a 401 with the wrong reason.

Re-opened upstream ticket for further work.

Comment 6 Scott Poore 2015-10-14 19:33:47 UTC
Created attachment 1082934 [details]
http error log

Comment 9 Nathan Kinder 2016-02-16 22:40:06 UTC
There are no plans to update Ipsilon in RHEL 7.3, and it is being replaced by Keycloak long-term.  Closing this as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.