Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.0.0-25.el6.x86_64 ipa-admintools-2.0.0-25.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h bumblebee.lab.eng.pnq.redhat.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com New password: Secret_123 Re-enter new password: Secret_123 Enter LDAP Password: Secret123 Actual results: /var/log/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM/errors: [09/Jun/2011:09:57:42 -0400] - Entry "uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" -- attribute "krbExtraData" not allowed Expected results: Seems "sysaccounts" does not require this attritbue. Additional info: # ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com # extended LDIF # # LDAPv3 # base <uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # sudo, sysaccounts, etc, lab.eng.pnq.redhat.com dn: uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: sudo userPassword:: e1NTSEF9V2QvS1ZxUGdiUFFMMnJLVStUcFlRd0d4eStBSlhsbmJKZXNrckE9PQ= =
Question: does the password actually get set properly and work?
(In reply to comment #3) > Question: does the password actually get set properly and work? Yes. -sh-4.1$ sudo -l LDAP Config Summary =================== uri ldap://bumblebee.lab.eng.pnq.redhat.com/ uri ldap://bumblebee.lab.eng.pnq.redhat.com ldap_version 3 sudoers_base ou=SUDOers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com bindpw Secret_123 bind_timelimit 5000 timelimit 15 ssl no tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt tls_cacertdir /etc/ipa =================== sudo: ldap_initialize(ld, ldap://bumblebee.lab.eng.pnq.redhat.com/ ldap://bumblebee.lab.eng.pnq.redhat.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacertdir -> /etc/ipa sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_bind_s() ok [...]
Fixed upstream: ipa-4-2: d5180ee973c4e9f30ec64fd2c1237f33d00af918 Return default TL_DATA is krbExtraData is missing fec0f4621bd21c9a0f2f6cda11ade96271a10f5a FIX: ipa_kdb_principals: add missing break statement
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Still seeing error on ipa-server-4.4.0-9.el7: [root@auto-hv-01-guest02 ~]# cat /var/log/dirsrv/slapd-TESTRELM-TEST/errors | grep krbExtraData [root@auto-hv-01-guest02 ~]# [root@auto-hv-01-guest02 ~]# LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h auto-hv-01-guest02.testrelm.test -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=test New password: Re-enter new password: Enter LDAP Password: [root@auto-hv-01-guest02 ~]# cat /var/log/dirsrv/slapd-TESTRELM-TEST/errors | grep krbExtraData[18/Sep/2016:15:16:35.175406274 -0400] Entry "uid=sudo,cn=sysaccounts,cn=etc,dc=testrelm,dc=test" -- attribute "krbExtraData" not allowed
The issue probably seems to be in the ipa-pwd-extop plugin itself as it seems that it tries to set 'krbExtraData' unconditionally regardless of whether the target DN belongs to Kerberos principal or not (see [1]): I was able to produce a simple patch to silence this error but I will need to do some more testing to be sure it does not break anything else. [1] https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c#n598
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6362
RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving to RHEL 8 the Bugs which were already triaged, but to which we did not commit (without devel_ack) and we cannot keep them even as a stretch goal for RHEL-7.7. If you believe this particular bug should be reconsidered for 7.7, please let us know.
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome! Thank you for understanding. Red Hat Enterprise Linux Identity Management Team