Hi!
Found today when preparing my talk at LVEE conference:
When running 'ipa passwd <user>' or 'kinit <user>' for the first time
(i.e. forcing a password change), ipa-pwd-extop causes denial of
password change:
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Received extended operation
request with OID 1.3.6.1.4.1.4203.1.11.1
....
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Pre-Encoded passwords are not valid
[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_post_op
[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_cache_change_notify
[28/Jun/2013:22:02:43 +0300] roles-plugin - <-- roles_post_op
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Failed to update password
Apparently, we receive password encoded as {SSHA} scheme and it breaks
any password change. Appropriate code checks are in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:719-738
I've reproduced it with Fedora 19 RC2 ISO, with git master rpms, and
with freeipa-devel repo. Basically, this is release blocker for 3.3
right now.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
