On Fri, 28 Jun 2013, Alexander Bokovoy wrote:
Hi!
Found today when preparing my talk at LVEE conference:
When running 'ipa passwd <user>' or 'kinit <user>' for the first time
(i.e. forcing a password change), ipa-pwd-extop causes denial of
password change:
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Received extended operation
request with OID 1.3.6.1.4.1.4203.1.11.1
....
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Pre-Encoded passwords are not valid
[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_post_op
[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_cache_change_notify
[28/Jun/2013:22:02:43 +0300] roles-plugin - <-- roles_post_op
[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Failed to update password
Apparently, we receive password encoded as {SSHA} scheme and it breaks
any password change. Appropriate code checks are in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:719-738
I've reproduced it with Fedora 19 RC2 ISO, with git master rpms, and
with freeipa-devel repo. Basically, this is release blocker for 3.3
right now.
Thanks to Nathan to point out to this change in 389-ds-base:
http://directory.fedoraproject.org/wiki/Password_Administrator
I added
passwordAdminDn: cn=admins,cn=groups,cn=accounts,$SUFFIX
to cn=config and got it fixed for stock FreeIPA configuration.
However, the change like this would not be enough for delegated roles.
Patch that fixes basic problem is attached, please review.
--
/ Alexander Bokovoy
>From 47c4334c53e6b92a791561b25e83e37ed19decce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Sat, 29 Jun 2013 07:01:10 +0300
Subject: [PATCH] set passwordAdminDN by default in cn=config
In 389-ds directory adminstrators can define a user, or a group of users, who
are "Password Administrators", for example helpdesk employees.
Set password administrators to cn=admins,cn=groups,cn=accounts,$SUFFIX
by default.
Without passwordAdminDN attribute set, neither user can change their password
via FreeIPA, nor admins can reset user passwords with 389-ds-base 1.3.1.2-1.
---
install/updates/10-config.update | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index c631b2c..1a57ba0 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -4,6 +4,11 @@
dn: cn=config
only:nsslapd-ssl-check-hostname: on
+# Make sure cn=admins are capable to change password schema
+# See http://directory.fedoraproject.org/wiki/Password_Administrator for
details
+dn: cn=config
+only:passwordAdminDN: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
+
# Remove incorrect placement
dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config
remove: nsslapd-pluginPrecedence: 60
@@ -57,3 +62,4 @@ addifnew:nsSaslMapPriority: 10
dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
addifnew:nsSaslMapPriority: 10
+
--
1.8.1.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
