On Sat, 2013-06-29 at 07:46 +0300, Alexander Bokovoy wrote: > On Fri, 28 Jun 2013, Alexander Bokovoy wrote: > >Hi! > > > >Found today when preparing my talk at LVEE conference: > > > >When running 'ipa passwd <user>' or 'kinit <user>' for the first time > >(i.e. forcing a password change), ipa-pwd-extop causes denial of > >password change: > > > >[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Received extended operation > >request with OID 1.3.6.1.4.1.4203.1.11.1 > >.... > >[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Pre-Encoded passwords are not > >valid > >[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_post_op > >[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_cache_change_notify > >[28/Jun/2013:22:02:43 +0300] roles-plugin - <-- roles_post_op > >[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Failed to update password > > > >Apparently, we receive password encoded as {SSHA} scheme and it breaks > >any password change. Appropriate code checks are in > >daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:719-738 > > > >I've reproduced it with Fedora 19 RC2 ISO, with git master rpms, and > >with freeipa-devel repo. Basically, this is release blocker for 3.3 > >right now. > Thanks to Nathan to point out to this change in 389-ds-base: > http://directory.fedoraproject.org/wiki/Password_Administrator > > I added > > passwordAdminDn: cn=admins,cn=groups,cn=accounts,$SUFFIX > > to cn=config and got it fixed for stock FreeIPA configuration. > However, the change like this would not be enough for delegated roles. > > Patch that fixes basic problem is attached, please review.
Although the patch 'fixes' the problem for the admin group it break s the IPA model. We need to get a way to disable this behavior in 389DS (we already do our own checks since long), and work for a long term solution where policy checks can be delegated to a plugin. It is a priority to revert the new logic in 389DS immediately, and work on a plan. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel