Hide Forgot
Description of problem: We have a database where all of user credentials are stored under a single hierarchy Example: uid=jdoe,dc=user,dc=example,dc=com We have a second directory hierarchy used to maintain server information where we use CoS to pull the user information from the user hierarchy above. Example: uid=jdoe,host=myserver,dc=servers,dc=example,dc=com CoS is configured to and you attempt to authenticate to the database using uid=jdoe,host=myserver, ... you receive an the error message "Inappropriate Authentication". However, if you manually copy the userpassword attribute from the user hierarchy to the user entry under the server hierarchy you are able to authenticate. Version-Release number of selected component (if applicable): 389-ds-base-1.2.5-1.el5 389-ds-console-doc-1.2.0-5.el5 389-adminutil-1.1.8-4.el5 389-admin-1.1.10-1.el5 389-dsgw-1.1.4-1.el5 389-ds-console-1.2.0-5.el5 389-admin-console-doc-1.1.4-3.el5 389-admin-console-1.1.4-3.el5 389-console-1.1.3-6.el5 389-ds-1.1.3-6.el5 How reproducible: Occurs all the time... Steps to Reproduce: 1. Create two directory hierarchies dc=user,dc=example,dc=com dc=servers,dc=example,dc=com 2. Add a posixaccount user to user heirarchy and set the password dn: uid=jdoe,dc=user,dc=example,dc=com objectclass: posixaccount uid: jdoe uidnumber: 1000 gidnumber: 1000 cn: John Doe gecos: John Doe homedirectory: /home/jdoe loginshell: /bin/bash userpassword: <blah> 3. Create an indirect CoS definition dn: cn=mapToUser,dc=servers,dc=example,dc=com cosIndirectSpecifier: associatedname objectClass: top objectClass: ldapsubentry objectClass: cossuperdefinition objectClass: cosIndirectDefinition cosAttribute: userpassword cn: mapToUser 4. Create a user under under the server hierarchy dn: uid=jdoe,dc=servers,dc=example,dc=com objectclass: posixaccount uid: jdoe uidnumber: 1000 gidnumber: 1000 cn: John Doe gecos: John Doe homedirectory: /home/jdoe loginshell: /bin/bash userpassword: <blah> associatedName: uid=jdoe,dc=user,dc=example,dc=com 5. Perform an ldapsearch using the jdoe entry under the server hierarchy ldapsearch -x -h localhost -D "uid=jdoe,dc=servers,dc=example,dc=com" -w <pw> -b <blah> ... Actual results: Ldapsearch is unable to authenticate returning LDAP ERROR 48 "Inappropriate Authentication" Expected results: ldapseach to return the search results. Additional info:
Upstream ticket: https://fedorahosted.org/389/ticket/62
This is an enhancement to COS. COS does not have any kind of pre-bind operation plugin function to "add" a virtual password - it is strictly a postoperation plugin.
Per triage, set to FUTURE.
This bug has been unresolved for a long time, and it is not a priority to fix. This bug is being closed since there is not a pressing reason to address it, though the upstream ticket will remain open in case someone in the community is compelled to provide a patch.