Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2218132 - Satellite LDAP Authentication with AD does not allow bind password over 60 characters
Summary: Satellite LDAP Authentication with AD does not allow bind password over 60 ch...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: LDAP
Version: 6.14.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-28 09:33 UTC by Lukáš Hellebrandt
Modified: 2023-10-05 12:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-10-05 12:25:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-18702 0 None None None 2023-06-29 10:19:41 UTC

Description Lukáš Hellebrandt 2023-06-28 09:33:35 UTC 
Description of problem:
After fixing bug 2077081, the LDAP password limit is now not 60, but 69 characters. There should be no limit.

Version-Release number of selected component (if applicable):
Sat 6.14

How reproducible:
Deterministic

Steps to Reproduce:
Create users in Active Directory: qwerty (with 78 characters password), qwerty66 (with 66 characters password), qwerty69 (with 69 characters password).
Attempt to use these users as the bind users for LDAP auth source. This is not about logging in as those users, rather as using those users to login to the AD itself to verify a user being logged in.
1) In WebUI: Administration -> Authentication Sources -> LDAP -> Create
2) On the first tab fill in the necessary data, select Active Directory as type (make sure you have the right cert for LDAPS, use update-ca-trust workflow)
3) On the second tab, use login <DOMAIN>\<user>, in my case: AD2019\qwerty and fill in the rest
4) On the third tab, I had to set login mapping from uid to cn
5) Submit
=> Failure, second tab's Password field marked red with text "is too long (maximum is 69 characters)".
6) Repeat 3,4,5 for users qwerty66 and qwerty69
=> OK
7) Attempt to set 70-characters password
=> Failure as above
8) Finally, Submit with some account that works, I used qwerty69
9) Logout
10) Login using any <user>, I used qwerty66
=> OK
11) In hammer:
 hammer auth-source ldap update --id <id> --account-password <password_of_qwerty_user>
Could not update the Auth Source:
  Account password is too long (maximum is 69 characters)
=> OK

Actual results:
Password with length 70 or more can't be used for binding an LDAP user in auth source

Expected results:
Any password should be permitted
Comment 1 Adam Ruzicka 2023-10-05 12:25:20 UTC 
This is a valid bug. However, the fix would need to land in a third party library (net-ldap), where we don't have any permissions and where we don't know the codebase at all so it would be somewhat larger time investment. There are also no customer cases attached - the only customer I'm aware of that complained about this issue was satisfied with 64 characters. With that being said, I'll go ahead and close this one since we do not believe it will be fixed in the next multiple releases due to the priority of this bug as compared to others. If this is a large impact on you, please feel free to re-open it and provide additional information to help us better prioritize it.
Note You need to log in before you can comment on or make changes to this bug.