Red Hat Bugzilla – Bug 887988
[RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI
Last modified: 2015-06-19 07:14:22 EDT
Description of problem: RFE: Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI to allow a user account to expire at a certain date.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3306
*** Bug 888240 has been marked as a duplicate of this bug. ***
~~ Current DEV status ~~ This RFEc consists of 2 parts: https://fedorahosted.org/freeipa/ticket/3305: KrbPrincipalExpiration should be checked in pre-bind op https://fedorahosted.org/freeipa/ticket/3306: [RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI We have patch for the first part, it is being reviewed for FreeIPA 3.4. Second ticket should be also pretty easily solvable, mostly standard CLI/UI wiring.
Any update with regards to this request?
Hello Signbjorn, this RFE is being solved upstream, in currently developed FreeIPA version 3.4 which is planned to be released in Q1 2014. The RFE is preliminary planned for RHEL-7.1. If backport to earlier RHEL version is requested, please contact the Customer Service.
Hi Martin, Please check response in comment #11 for the requested information.
Deepak, as the development team focused on development and testing of the upcoming RHEL-7.0 release, the development of the upstream feature is not complete yet. It is in development, but not finished. I am confident it will be part of RHEL-7.1 release. As for RHEL-6.6, we need to check with QE first so that they can evaluate, if they will be able to test it.
Fixed upstream in master branch: LDAP bind fix: 5d78cdf80951748f5f954a69c41a2a2cb1b84812 ipa-pwd-extop: Deny LDAP binds for accounts with expired principals 004071a24626195994265b1bcc3ac616bb09d795 ipatests: Add test for denying expired principals CLI/UI enhancement: edb5a0c5344de88cc41f6f73098da88d754cf076 ipalib: Expose krbPrincipalExpiration in CLI 4568a52953bc8e0193d586ebc3d8bdbd3e3e0fa0 ipatests: Fix formatting errors in test_user_plugin.py 473a9fd23800b46b4608465ae47da523e8a2861f ipatests: Add coverage for setting krbPrincipalExpiration
Web UI enhancement: 4de9c5fc51c1e9a07a23b430ba531eb096960732 webui: expose krbprincipalexpiration
Verified using ipa-server-4.1.0-16.el7.x86_64 # ipa user-add --first=two --last=two two --password Password: Enter Password again to verify: ---------------- Added user "two" ---------------- User login: two First name: two Last name: two Full name: two two Display name: two two Initials: tt Home directory: /home/two GECOS: two two Login shell: /bin/sh Kerberos principal: two@TESTRELM.TEST Email address: two@testrelm.test UID: 547200003 GID: 547200003 Password: True Member of groups: ipausers Kerberos keys available: True # kinit two Password for two@TESTRELM.TEST: Password expired. You must change it now. Enter new password: Enter it again: # ipa user-mod two --principal-expiration="2015-01-27 00:00:00Z" ------------------- Modified user "two" ------------------- User login: two First name: two Last name: two Home directory: /home/two Login shell: /bin/sh Kerberos principal expiration: 20150127000000Z Email address: two@testrelm.test UID: 547200003 GID: 547200003 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True # date Mon Jan 26 16:55:01 EST 2015 # date +%D -s 2015-01-28 01/28/15 # date Wed Jan 28 00:00:05 EST 2015 # kinit two kinit: Client's entry in database has expired while getting initial credentials Verified the same from UI also.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html
After user account has expired at a certain date, Error message that appears in CLI is "kinit: Client's entry in database has expired while getting initial credentials" But, the Error message in UI is: "The password or username you entered is incorrect". Shouldn't both CLI and UI have the same error message?
ipa/session/login_password doesn't recognize the "kinit: Client's entry in database has expired while getting initial credentials" erorr and think that it's general invalid password error. This is then send to Web UI which displays invalid message. ipa/session/login_password should be fixed to recognize this error and then send html header in response with appropriate error