[Freeipa-devel] F19 is broken w.r.t. user password change

Sat Jun 29 04:46:50 UTC 2013

On Fri, 28 Jun 2013, Alexander Bokovoy wrote:
>Hi!
>
>Found today when preparing my talk at LVEE conference:
>
>When running 'ipa passwd <user>' or 'kinit <user>' for the first time
>(i.e. forcing a password change), ipa-pwd-extop causes denial of
>password change:
>
>[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Received extended operation request with OID 1.3.6.1.4.1.4203.1.11.1
>....
>[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Pre-Encoded passwords are not valid
>[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_post_op
>[28/Jun/2013:22:02:43 +0300] roles-plugin - --> roles_cache_change_notify
>[28/Jun/2013:22:02:43 +0300] roles-plugin - <-- roles_post_op
>[28/Jun/2013:22:02:43 +0300] ipa-pwd-extop - Failed to update password
>
>Apparently, we receive password encoded as {SSHA} scheme and it breaks
>any password change. Appropriate code checks are in
>daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:719-738
>
>I've reproduced it with Fedora 19 RC2 ISO, with git master rpms, and
>with freeipa-devel repo. Basically, this is release blocker for 3.3
>right now.
Thanks to Nathan to point out to this change in 389-ds-base:
http://directory.fedoraproject.org/wiki/Password_Administrator

I added 

passwordAdminDn: cn=admins,cn=groups,cn=accounts,$SUFFIX

to cn=config and got it fixed for stock FreeIPA configuration.
However, the change like this would not be enough for delegated roles.

Patch that fixes basic problem is attached, please review.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 47c4334c53e6b92a791561b25e83e37ed19decce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Sat, 29 Jun 2013 07:01:10 +0300
Subject: [PATCH] set passwordAdminDN by default in cn=config

In 389-ds directory adminstrators can define a user, or a group of users, who
are "Password Administrators", for example helpdesk employees.

Set password administrators to cn=admins,cn=groups,cn=accounts,$SUFFIX
by default.

Without passwordAdminDN attribute set, neither user can change their password
via FreeIPA, nor admins can reset user passwords with 389-ds-base 1.3.1.2-1.
---
 install/updates/10-config.update | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index c631b2c..1a57ba0 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -4,6 +4,11 @@
 dn: cn=config
 only:nsslapd-ssl-check-hostname: on
 
+# Make sure cn=admins are capable to change password schema
+# See http://directory.fedoraproject.org/wiki/Password_Administrator for details
+dn: cn=config
+only:passwordAdminDN: 'cn=admins,cn=groups,cn=accounts,$SUFFIX'
+
 # Remove incorrect placement
 dn: cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config
 remove: nsslapd-pluginPrecedence: 60
@@ -57,3 +62,4 @@ addifnew:nsSaslMapPriority: 10
 
 dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
 addifnew:nsSaslMapPriority: 10
+
-- 
1.8.1.4

