Bug 2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
Summary: [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Anuj Borah
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-02 15:57 UTC by Anton Bobrov
Modified: 2023-07-11 11:33 UTC (History)
8 users (show)

Fixed In Version: sssd-2.9.1-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD/sssd/blob/master/src/tests/multihost/alltests/test_ldap_password_policy.py#L141 0 None None None 2023-06-30 07:41:58 UTC
Github SSSD sssd issues 6768 0 None open [RHEL8] sssd attempts LDAP password modify extended op after BIND failure 2023-06-07 15:59:30 UTC
Github SSSD sssd pull 6769 0 None open ldap: return failure if there are no grace logins left 2023-06-07 16:05:00 UTC
Red Hat Issue Tracker RHELPLAN-138112 0 None None None 2022-11-02 16:07:18 UTC
Red Hat Issue Tracker SSSD-6195 0 None None None 2023-05-30 14:31:06 UTC

Description Anton Bobrov 2022-11-02 15:57:25 UTC 
Description of problem:

When LDAP password expires and account is locked without grace as per LDAP password policy SSSD would erroneously attempt LDAP password modify extended operation on a connection where BIND operation has previously failed (due to described password policy state).

(2022-11-01 12:13:33): [be[test.com]] [simple_bind_send] (0x0100): [RID#54262] Executing simple bind as: uid=ipresovs,ou=people,dc=test,dc=com
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password Policy Response: expire [-1] grace [-1] error [Password expired].
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password expired user must set a new password.
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x1000): [RID#54262] Password expired user must set a new password.
(2022-11-01 12:13:33): [be[test.com]] [simple_bind_done] (0x0400): [RID#54262] Bind result: Invalid credentials(49), password expired!
(2022-11-01 12:13:33): [be[test.com]] [sdap_pam_chpass_handler_auth_done] (0x1000): [RID#54262] user [uid=ipresovs,ou=people,dc=test,dc=com] successfully authenticated.
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_send] (0x0100): [RID#54262] Executing extended operation
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_done] (0x0200): [RID#54262] Server returned no controls.
(2022-11-01 12:13:33): [be[test.com]] [sdap_exop_modify_passwd_done] (0x0080): [RID#54262] ldap_extended_operation result: Insufficient access(50), Anonymous Binds are not allowed.

Version-Release number of selected component (if applicable):

sssd-2.6.2-4.el8_6.1.x86_64

Expected results:

SSSD should not try LDAP password modify extended operation after BIND failure because it is essentially issuing that operation as anonymous LDAP user.

It should instead provide a meaningful error message indicating that the password is expired and account is locked and needs to be reset by a privileged LDAP user.
Comment 5 Alexey Tikhonov 2023-06-07 16:04:43 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6769
Comment 6 Alexey Tikhonov 2023-06-19 18:43:24 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6769

* `master`
    * d99aa97dae7236fd056e21ea3d48997edf1b9823 - ldap: return failure if there are no grace logins left
* `sssd-2-9`
    * 895d194f3869ee7fa633fca51163afd2cea513c7 - ldap: return failure if there are no grace logins left
Note You need to log in before you can comment on or make changes to this bug.