Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 238504

Summary:

winsync replays ADS-originated password change to ADS

Product:

Red Hat Directory Server

Reporter:

Ulf Weltman <ulf.weltman>

Component:

Replication - General

Assignee:

Nathan Kinder <nkinder>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Viktor Ashirov <vashirov>

Severity:

medium

Docs Contact:

Priority:

high

Version:

7.1

CC:

nkinder

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2016-05-06 14:29:39 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

240316

Attachments:

Description	Flags
CVS Diffs	none

Description Ulf Weltman 2007-04-30 21:36:47 UTC

If a password is changed in ADS the password sync service intercepts it,
attempts to bind to RHDS with it, and if that fails, it sends a mod for
userPassword with the new password.
RHDS changelogs the userPassword mod.  It doesn't know where the mod originated,
a password sync service mod looks like any other, so it sends that password
change back to ADS.

This is a problem when it comes to password policy history constraints set on
the Windows side.  Windows appears to allow password history constraints to be
violated if a password change is performed by an administrative account (not the
user himself).  This means the new password will appear twice in the user's
password history, which means his history will be moving at twice the expected
speed, and he can reuse an old password in half the expected time.

Maybe windows_replay_update() can attempt a bind to ADS using the new password
in the case of password changes.  If the bind fails, don't send_password_modify().

Comment 1 Ulf Weltman 2007-05-01 00:56:15 UTC

> Maybe windows_replay_update() can attempt a bind to ADS using the new password
> in the case of password changes.  If the bind fails, don't send_password_modify().

What I meant to say was, if the bind succeeds (the password already exists in
ADS), don't send_password_modify().

Comment 4 Nathan Kinder 2007-09-27 17:50:09 UTC

Created attachment 208771 [details]
CVS Diffs

This fix first checks if AD has a new password before sending the password
modification over to AD.  It does this check by performing a bind as the user
with the new password.	If the bind succeeds, we skip sending the password
modification to AD.

Comment 5 Noriko Hosoi 2007-09-27 18:11:07 UTC

Looks good.  Very smart!

Comment 6 Nathan Kinder 2007-09-27 18:34:09 UTC

Checked into ldapserver (HEAD).  Thanks for the review Noriko!

Checking in windows_connection.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_connection.c,v 
<--  windows_connection.c
new revision: 1.17; previous revision: 1.16
done
Checking in windows_protocol_util.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
 <--  windows_protocol_util.c
new revision: 1.35; previous revision: 1.34
done
Checking in windowsrepl.h;
/cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v  <-- 
windowsrepl.h
new revision: 1.14; previous revision: 1.13
done

Comment 7 Yi Zhang 2007-11-02 22:05:50 UTC

Verification test:

Environment setup:
 1) setup niobe.dsdev.sjc.redhat.com and mirror.dsdev.sjc.redhat.com (window
machine)
 2) enable replicate on niobe, setup agreement between those two host (ssl has
to be enabled, certificate has to be exchanged)

Test:
 1) create a new user in RHDS side, no password is given for this entry
 2) monitor and ensure this entry appear on ActiveDirectory side
 3) enable this account, and reset password on ActiveDirectory side
 4) monitor the password sync manager on ActiveDirectory side. 

5) perform search on against both niobe and mirror server to ensure the search
with new password is valid

the test and return from niobe and mirror as below:

# search RedHat Directory server
/usr/lib64/mozldap6/ldapsearch -h niobe.dsdev.sjc.redhat.com -p 389 -D
"uid=rhds_999,ou=People, dc=dsdev, dc=sjc, dc=redhat, dc=com" -w "Change123" -s
sub -b "dc=dsdev,dc=sjc,dc=redhat,dc=com" "uid=rhds_999" "*"
Response as below:
version: 1
dn: uid=rhds_999,ou=People, dc=dsdev, dc=sjc, dc=redhat, dc=com
ntUserLastLogon: 0
ntUserLastLogoff: 0
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: rhds_999
sn: rhds_999
description: first inject into ldap from RH Directory side, creation id: rhds_
 999
givenName: rhds_999
cn: rhds_999
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: rhds_999
ntUniqueId: 3ca0300627fab949ab816b871ae74e98

# search Active Directory (same entry)
/usr/lib64/mozldap6/ldapsearch -h mirror.dsdev.sjc.redhat.com -p 636 -D
'CN=rhds_999,CN=Users,DC=dsdev,DC=sjc,DC=redhat,DC=com' -w 'Change123' -b
"cn=users,dc=dsdev,dc=sjc,dc=redhat,dc=com" -Z -P /etc/dirsrv/slapd-niobe/ -W
Secret123 "cn=rhds_999" "*"
Response as below:
version: 1
dn: CN=rhds_999,CN=Users,DC=dsdev,DC=sjc,DC=redhat,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: rhds_999
sn: rhds_999
description: first inject into ldap from RH Directory side, creation id: rhds_
 999
givenName: rhds_999
distinguishedName: CN=rhds_999,CN=Users,DC=dsdev,DC=sjc,DC=redhat,DC=com
instanceType: 4
whenCreated: 20071101000137.0Z
whenChanged: 20071102210444.0Z
uSNCreated: 39989
uSNChanged: 95987
name: rhds_999
objectGUID:: PKAwBif6uUmrgWuHGudOmA==
userAccountControl: 544
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128385110844687500
primaryGroupID: 513
operatorCount: 0
objectSid:: AQUAAAAAAAUVAAAAU2jpE8gVqNz7qd8PmAgAAA==
adminCount: 0
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: rhds_999
sAMAccountType: 805306368
lastKnownParent: CN=Users,DC=dsdev,DC=sjc,DC=redhat,DC=com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=dsdev,DC=sjc,DC=redhat
 ,DC=com
dSCorePropagationData: 20071101001901.0Z
dSCorePropagationData: 20071101001901.0Z
dSCorePropagationData: 20071101001901.0Z
dSCorePropagationData: 20071101001818.0Z
dSCorePropagationData: 16010108151056.0Z

=====
More details is coming ...

Comment 8 Yi Zhang 2007-11-05 23:16:37 UTC

Verification test: PASS (Manual test)

Environment setup (Continue from the last post)
 Active Directory has to have special setting. Assuming user "rhds_999" used for
testing, the following configurations have to be done on AD side
 (1) user "rhds_999" has to be a member of "Administrators" group
 (2) assign right to this user, so that it can login to active directory server
as local user
 (3) enable the password policy so that the "N" history of password can NOT be
re-used (in my test, N=4)

Actual Test:
 (1) create account on AD, user login name is: "rhds_999"
 (2) configurate this account so that this user can log into active directory
server as local user
 (3) press "ctrl-alt-del" to show the short cut of password change
 (4) keep changing password 5 times, and at the 5th time, try to use the last 4
password in the history. 

Verify: (1) AD password constrain works as expected
        (2) on DS side, there are log messages to clearly state, for one
password changing activity on AD side, there is one change on DS side and there
is NO password sync back to AD side. 

===========================================================================
Log message on DS side:
-------------------------------------------------------------------
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): binddn = cn=administrator,
cn=Users,dc=dsdev,dc=sjc,dc=redhat,dc=com,  passwd = {DES}VILRDMrYXfx1AIIRoWfXOA==
[05/Nov/2007:16:23:18 -0800] - windows_conn_connect : detected Win2k3 peer
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): No linger to cancel on the connection
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - windows_acquire_replica
returned success (101)
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): State: ready_to_acquire_replica -> sending_updates
[05/Nov/2007:16:23:18 -0800] - _cl5PositionCursorForReplay (agmt="cn=to_mirror"
(mirror:636)): Consumer RUV:
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): {replicageneration} 472a785d000000010000
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): {replica 1 ldap://niobe.dsdev.sjc.redhat.com:389}
472a78ba000000010000 472fb354000000010000 472fb354
[05/Nov/2007:16:23:18 -0800] - _cl5PositionCursorForReplay (agmt="cn=to_mirror"
(mirror:636)): Supplier RUV:
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): {replicageneration} 472a785d000000010000
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): {replica 1 ldap://niobe.dsdev.sjc.redhat.com:389}
472a78ba000000010000 472fb3f5000100010000 472fb3f6
[05/Nov/2007:16:23:18 -0800] agmt="cn=to_mirror" (mirror:636) - session start:
anchorcsn=472fb354000000010000
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - changelog program -
agmt="cn=to_mirror" (mirror:636): CSN 472fb354000000010000 found, position set
for replay
[05/Nov/2007:16:23:18 -0800] agmt="cn=to_mirror" (mirror:636) - load=1 rec=1
csn=472fb3f5000000010000
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): windows_replay_update: Looking at modify operation local
dn="uid=rhds_999,ou=people,dc=dsdev,dc=sjc,dc=redhat,dc=com" (ours,user,not group)
[05/Nov/2007:16:23:18 -0800] - windows_search_entry: recieved 2 messages, 1
entries, 0 references
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): windows_replay_update: Processing modify operation local
dn="uid=rhds_999,ou=people,dc=dsdev,dc=sjc,dc=redhat,dc=com" remote
dn="<GUID=3ca0300627fab949ab816b871ae74e98>"
[05/Nov/2007:16:23:18 -0800] - windows_search_entry: recieved 2 messages, 1
entries, 0 references
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): AD already has the current password for
CN=rhds_999,CN=Users,DC=dsdev,DC=sjc,DC=redhat,DC=com. Not sending password
modify to AD.
[05/Nov/2007:16:23:18 -0800] agmt="cn=to_mirror" (mirror:636) - load=1 rec=2
csn=472fb3f5000100010000
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): windows_replay_update: Looking at modify operation local
dn="uid=rhds_999,ou=people,dc=dsdev,dc=sjc,dc=redhat,dc=com" (ours,user,not group)
[05/Nov/2007:16:23:18 -0800] - windows_search_entry: recieved 2 messages, 1
entries, 0 references
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): windows_replay_update: Processing modify operation local
dn="uid=rhds_999,ou=people,dc=dsdev,dc=sjc,dc=redhat,dc=com" remote
dn="<GUID=3ca0300627fab949ab816b871ae74e98>"
[05/Nov/2007:16:23:18 -0800] agmt="cn=to_mirror" (mirror:636) -
clcache_load_buffer: rc=-30990
[05/Nov/2007:16:23:18 -0800] NSMMReplicationPlugin - agmt="cn=to_mirror"
(mirror:636): No more updates to send (cl5GetNextOperationToReplay)