Bug 824490 - WinSync users who have First.Last casing creates users who can have their password set
WinSync users who have First.Last casing creates users who can have their pas...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-23 11:20 EDT by Dmitri Pal
Modified: 2015-02-14 09:10 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Managements enforces lowercase for all user names (uid). Some operations like password change may fail when there is a user with non-lowercase user name. However, a winsync agremeent with Active Directory may replicate such user into Identity Management database. Consequence: Identity Management Administrator cannot change or reset password of such user. Fix: Identity Management winsync plugin now always convert both user name and Kerberos principal user part to lower case. Result: Administrator can now change password also for users replicated from Active Directory via winsync agreement which do not have lowercase user name.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:13:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-05-23 11:20:05 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2756

Due to the normally lowercase enforcement of uids, FreeIPA can't properly set the password for a user who was imported via a WinSync agreement. The code tries to search for a lowercase user.name@EXAMPLE.COM and yields none resulting in:

 ipa passwd First.Last
 New Password: 
 Enter New Password again to verify: 
 Not Found
Comment 1 Martin Kosek 2012-05-25 03:50:12 EDT
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/74293426d9b88dad1fffa1762d2be83b1eb45d02

User name in uid attribute and krbPrincipalName is now put to lower case and thus a password can be set for that user.
Comment 3 Steeve Goveas 2013-01-17 10:29:58 EST
[root@dell-pe1950-03 ~]# ldapsearch -x -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "CN=First Last,CN=users,DC=adrelm,DC=com" 
# extended LDIF
#
# LDAPv3
# base <CN=First Last,CN=users,DC=adrelm,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# First Last, Users, adrelm.com
dn: CN=First Last,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: First Last
sn: Last
givenName: First
distinguishedName: CN=First Last,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20130117151241.0Z
whenChanged: 20130117151308.0Z
displayName: First Last
uSNCreated: 446609
uSNChanged: 446615
name: First Last
objectGUID:: i1VUl3NYpU222rYTlSTNtg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130029091615312500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAiFnzZEqY6qC0I54HyAYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: First.Last
sAMAccountType: 805306368
userPrincipalName: First.Last@adrelm.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130029091888437500

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@dell-pe1950-03 ~]# ipa user-find First.Last
--------------
  Login shell: /bin/sh
  UID: 555000011
  GID: 555000011
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@dell-pe1950-03 ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
----------------------------------------------
Changed password for "first.last@TESTRELM.COM"
----------------------------------------------

[root@dell-pe1950-03 ~]# ssh -l first.last dell-pe1950-03.testrelm.com
first.last@dell-pe1950-03.testrelm.com's password: 
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user first.last.
Current Password: 
New password: 
BAD PASSWORD: is too similar to the old one
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to dell-pe1950-03.testrelm.com closed.
[root@dell-pe1950-03 ~]#

Verified in version ipa-server-3.0.0-8.el6.x86_64
Comment 5 errata-xmlrpc 2013-02-21 04:13:23 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.