1545755 – ipa-replica-prepare should not update pki admin password.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1545755 - ipa-replica-prepare should not update pki admin password.

Summary: ipa-replica-prepare should not update pki admin password.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-15 15:13 UTC by German Parente
Modified:	2022-03-13 15:11 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-4.6.6-12.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 19:58:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7976	None	None	None	2022-03-13 15:11:34 UTC
Red Hat Knowledge Base (Solution)	3365771	None	None	None	2018-02-28 07:13:28 UTC
Red Hat Product Errata	RHSA-2020:3936	None	None	None	2020-09-29 19:59:03 UTC

Description German Parente 2018-02-15 15:13:17 UTC

Description of problem:

ipa-replica-prepare "profits" to set admin password same as "cn=directory manager" password. While this was required in RHEL6, it's not more the case in RHEL7 where the passwords can differ. And it could be also a problem if the password policy has been set with particular settings applied to the admin password. As "cn=directory manager" password does not need to comply with password policy and admin password must comply, we could have failures because of this attempt to change password.

More precisely, I am talking about this part of the code of ipa-replica-prepare:


=============================
            if os.path.isfile(options.ca_file):
                # Since it is possible that the Directory Manager password
                # has changed since ipa-server-install, we need to regenerate
                # the CA PKCS#12 file and update the pki admin user password
                self.regenerate_ca_file(options.ca_file)
                self.update_pki_admin_password()
                self.copy_info_file(options.ca_file, "cacert.p12")
===============================

update_pki_admin_password:
====================================================
    def update_pki_admin_password(self):
        dn = DN('uid=admin', 'ou=people', 'o=ipaca')
        api.Backend.ldap2.modify_password(dn, self.dirman_password)
====================================================

Particularly, we have a customer with this failure in ipa-replica-prepare:

     self.update_pki_admin_password()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepar
e.py", line 586, in update_pki_admin_password
     api.Backend.ldap2.modify_password(dn, self.dirman_password)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 390, in modify_password
     self.conn.passwd_s(str(dn), old_pass, new_pass)
   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
     self.gen.throw(type, value, traceback)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
975, in error_handler
     raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError:
Constraint
violation: Password reuse not permitted
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint violation: Password reuse not permitted

Because its global password policy has a:

History size: 24








Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Rob Crittenden 2018-02-15 15:19:28 UTC

So the user created a password policy within dogtag? For what purpose? Compliance?

Comment 7 Rob Crittenden 2018-02-15 19:34:10 UTC

I ran this past Ade and he agreed that this password change shouldn't be required.

Comment 8 Rob Crittenden 2018-02-20 15:48:25 UTC

Something else to look at is that the change is being applied by DM which should avoid password policy.

Comment 9 Rob Crittenden 2018-02-20 20:02:10 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7181

Comment 13 Christian Heimes 2020-03-25 09:12:41 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/38204856fd72e5191bae07a47907314aacf43d1a
https://pagure.io/freeipa/c/8c191ddf6d75090c80f567dd665bdacc44ef8883
https://pagure.io/freeipa/c/a620ac0f6f2505b6e9242f21dc0314c45747336e
https://pagure.io/freeipa/c/527f30be76f0da6d4453745ace25f64948c0504f
https://pagure.io/freeipa/c/d9c41df6fd39b8d6bc879a9321b3f76eb1847b06
https://pagure.io/freeipa/c/132a0f8771edd3a741bc60e6bc4c9b56cb172e4a
https://pagure.io/freeipa/c/ff6984e2eea0f54851db796c8b3ad29c54a4e325
https://pagure.io/freeipa/c/89066892151e1da5c2557d8eb76c2b04dbd61979

Comment 14 Christian Heimes 2020-03-25 13:49:20 UTC

ipa-4-8:
https://pagure.io/freeipa/c/c62b9e7f6ab0dec54540dc6cd389fe58f8858275
https://pagure.io/freeipa/c/f4dc10b8caac44f5c2a8edbb4c647e6dcf71c3bd
https://pagure.io/freeipa/c/313542e8a125c4904750826ef9eabdead7d874bd
https://pagure.io/freeipa/c/5bae736bc81eaa1167ec64a69a32506dad2ca286
https://pagure.io/freeipa/c/bcbf64b1bf287d2b0b23bc7ac0cca9e8b789ba4a
https://pagure.io/freeipa/c/8b7bb96b327207284c8c0a45cf2979843482cf48
https://pagure.io/freeipa/c/840671b1cdc508ea86f8412e6423f00b8c3bf809
https://pagure.io/freeipa/c/b34063e700ac4c65b117705bafb0255c26bca060

Comment 15 Christian Heimes 2020-03-25 13:55:36 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/aaa79c872aad2a5458acefdc16203b9efd62c6c9
https://pagure.io/freeipa/c/e4f3cd0f26efda56db44bf55aa0bb65d8470b160
https://pagure.io/freeipa/c/41fc40a6b18d26d92869f278b2b8436378653b38
https://pagure.io/freeipa/c/d038fc70f8e904a492c5ec0874e0fd0be254ead6
https://pagure.io/freeipa/c/3d41453138c0d730a94acd8c22ef345d910a4e42
https://pagure.io/freeipa/c/dc833948006fac6920581e56ec69763bde3f1d4a
https://pagure.io/freeipa/c/19e872e653705bb178457ebe39c90d4f550f438b
https://pagure.io/freeipa/c/5a98670e4abfac2b7de2f604f8fe19fbea988b16

Comment 16 Rob Crittenden 2020-03-25 18:38:13 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/57e30f88242d926c9487e7ca26dc5ded40700192
https://pagure.io/freeipa/c/d91c4d638c6db3183bd0c5e3f18f25ed229a1f3f
https://pagure.io/freeipa/c/74c5a96b8441f0d6b5a64ede2e9de95b4f3fcc4b
https://pagure.io/freeipa/c/79fab655ceca9d1ea0791d3a0fb584ea51a9849d
https://pagure.io/freeipa/c/eaec7584195ce173a6de5101d745be35b7c4cb5f
https://pagure.io/freeipa/c/82585849cfbad0c7cf2225d2766cb0aed0dce898
https://pagure.io/freeipa/c/6d28e82b2616ccc8b67cbe1b60d5e914e02636ca
https://pagure.io/freeipa/c/1e6f6f590342fd5c3cf90dee8f23ca1d2651c551

Comment 22 errata-xmlrpc 2020-09-29 19:58:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936

Note You need to log in before you can comment on or make changes to this bug.