Bug 824490 - WinSync users who have First.Last casing creates users who can have their password set
Summary: WinSync users who have First.Last casing creates users who can have their pas...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
Depends On:
TreeView+ depends on / blocked
Reported: 2012-05-23 15:20 UTC by Dmitri Pal
Modified: 2015-02-14 14:10 UTC (History)
3 users (show)

Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Managements enforces lowercase for all user names (uid). Some operations like password change may fail when there is a user with non-lowercase user name. However, a winsync agremeent with Active Directory may replicate such user into Identity Management database. Consequence: Identity Management Administrator cannot change or reset password of such user. Fix: Identity Management winsync plugin now always convert both user name and Kerberos principal user part to lower case. Result: Administrator can now change password also for users replicated from Active Directory via winsync agreement which do not have lowercase user name.
Clone Of:
Last Closed: 2013-02-21 09:13:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-05-23 15:20:05 UTC
This bug is created as a clone of upstream ticket:

Due to the normally lowercase enforcement of uids, FreeIPA can't properly set the password for a user who was imported via a WinSync agreement. The code tries to search for a lowercase user.name@EXAMPLE.COM and yields none resulting in:

 ipa passwd First.Last
 New Password: 
 Enter New Password again to verify: 
 Not Found

Comment 1 Martin Kosek 2012-05-25 07:50:12 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/74293426d9b88dad1fffa1762d2be83b1eb45d02

User name in uid attribute and krbPrincipalName is now put to lower case and thus a password can be set for that user.

Comment 3 Steeve Goveas 2013-01-17 15:29:58 UTC
[root@dell-pe1950-03 ~]# ldapsearch -x -ZZ -h squab.adrelm.com -D "CN=Administrator,CN=Users,DC=adrelm,DC=com" -w Secret123 -b "CN=First Last,CN=users,DC=adrelm,DC=com" 
# extended LDIF
# LDAPv3
# base <CN=First Last,CN=users,DC=adrelm,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# First Last, Users, adrelm.com
dn: CN=First Last,CN=Users,DC=adrelm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: First Last
sn: Last
givenName: First
distinguishedName: CN=First Last,CN=Users,DC=adrelm,DC=com
instanceType: 4
whenCreated: 20130117151241.0Z
whenChanged: 20130117151308.0Z
displayName: First Last
uSNCreated: 446609
uSNChanged: 446615
name: First Last
objectGUID:: i1VUl3NYpU222rYTlSTNtg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130029091615312500
primaryGroupID: 513
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: First.Last
sAMAccountType: 805306368
userPrincipalName: First.Last@adrelm.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adrelm,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130029091888437500

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@dell-pe1950-03 ~]# ipa user-find First.Last
  Login shell: /bin/sh
  UID: 555000011
  GID: 555000011
  Account disabled: False
  Password: True
  Kerberos keys available: True
Number of entries returned 1

[root@dell-pe1950-03 ~]# ipa passwd First.Last
New Password: 
Enter New Password again to verify: 
Changed password for "first.last@TESTRELM.COM"

[root@dell-pe1950-03 ~]# ssh -l first.last dell-pe1950-03.testrelm.com
first.last@dell-pe1950-03.testrelm.com's password: 
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user first.last.
Current Password: 
New password: 
BAD PASSWORD: is too similar to the old one
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to dell-pe1950-03.testrelm.com closed.
[root@dell-pe1950-03 ~]#

Verified in version ipa-server-3.0.0-8.el6.x86_64

Comment 5 errata-xmlrpc 2013-02-21 09:13:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.