The issue can be reproduced with s390x arch but not with x86_64. The ipa-pwd-extop plugin exits too early, considering that it should not handle the operation. The relevant code is in https://github.com/freeipa/freeipa/blob/f1ed46eb93bcb5bc87783dc3daad72faffc7c6af/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c#L1448-L1458: ----- 8< ----- ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); ret |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method); ret |= slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &credentials); if (ret) { LOG_FATAL("slapi_pblock_get failed!?\n"); return 0; } /* We're only interested in simple authentication. */ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) return 0; <<< Early exit ... if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq)) <<< Processing of OTP bind goto invalid_creds; ----- 8< ----- With a 390x arch, the debugger shows that method = 0, which makes the plugin exit early without processing the OTP part. With a x86_64 arch, the debugger shows that method = 128, which corresponds to LDAP_AUTH_SIMPLE - defined in /usr/include/ldap.h: #define LDAP_AUTH_SIMPLE ((ber_tag_t) 0x80U) /* context specific + primitive */
Upstream ticket: https://pagure.io/freeipa/issue/9402
is this similar to an older issue with https://github.com/python-ldap/python-ldap/pull/416 https://bugzilla.redhat.com/show_bug.cgi?id=1931865#c68 ?
(In reply to Marc Sauton from comment #4) > is this similar to an older issue with > https://github.com/python-ldap/python-ldap/pull/416 > Partnerhttps://bugzilla.redhat.com/show_bug.cgi?id=1931865#c68 > ? It's similar in the fact that casting a ber_tag_t or ber_len_t to an int on s390x would produces unwanted result. But the issue was in a different part of the code.
Fixed upstream master: https://pagure.io/freeipa/c/7060e3a031fb4e4cdf85f616f1e1a3435d61e696
Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/631dd72369385b0793e5bc0e019c088b4f1e2bb3 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/a7e167154b889f75463ccc9cd91a75c1afb22da9
Test results without fix: Using : ipa-server-4.10.2-1.el9.s390x .... 2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test002 2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test003 2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test004 2023-07-04T12:40:11+0000 FAILED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test013 2023-07-04T12:40:11+0000 ====== 4 failed, 29 passed, 25 xfailed, 10 warnings in 685.95s (0:11:25) ======= ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Test results with test compose: Using :ipa-server-4.10.2-2.el9.s390x 2023-07-04T10:17:36+0000 =========================== short test summary info ============================ 2023-07-04T10:17:36+0000 PASSED src/otp/test_0002_radius_master_tests.py::TestRadiusfunction::test_radius_0001 ... ... ... 2023-07-04T10:17:36+0000 PASSED src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test016 2023-07-04T10:17:36+0000 XFAIL src/otp/test_0001_otp_master_tests.py::TestOTPfunction::test_otp_0001 ... ... 2023-07-04T10:17:36+0000 XFAIL src/otp/test_0001_otp_master_tests.py::TestOTPfunction::test_otp_0047 2023-07-04T10:17:36+0000 reason: oathtool package installation failed, check repo links for further debugging 2023-07-04T10:17:36+0000 =========== 33 passed, 25 xfailed, 10 warnings in 745.46s (0:12:25) ============ Based on this marking bug as verified tested.
Verified using nightly build ipa-server-4.10.2-2.el9.s390x Test result: ... ... 2023-07-11T10:20:45+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test002 PASSED [ 75%] 2023-07-11T10:21:17+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test003 PASSED [ 77%] 2023-07-11T10:21:44+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test004 PASSED [ 79%] ... ... 2023-07-11T10:22:45+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test013 PASSED [ 94%] 2023-07-11T10:22:46+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test014 PASSED [ 96%] 2023-07-11T10:22:46+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test015 PASSED [ 98%] 2023-07-11T10:22:47+0000 src/otp/test_0004_authentication_indicators.py::TestAuthIndent::test016 PASSED [100%] 2023-07-11T10:22:47+0000 =========== 33 passed, 25 xfailed, 10 warnings in 709.79s (0:11:49) ============ 2023-07-11T10:22:49+0000 AVC not found 2023-07-11T10:22:49+0000 AVC not found 2023-07-11T10:22:49+0000 RETURN CODE: 0