Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap: add 'exop_force' value for ldap_pwmodify_mode #7614

Closed
wants to merge 2 commits into from
Closed

ldap: add 'exop_force' value for ldap_pwmodify_mode #7614

wants to merge 2 commits into from

Conversation

sumit-bose
Copy link
Contributor

In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.

@justin-stephenson
Copy link
Contributor

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

@sumit-bose
Copy link
Contributor Author

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

Hi,

it is related but not the same. The threshold value should make sure that there are a sufficient number of grace logins left to properly change the password. Due to the nature of the two-step PAM flow for password changes and that we do not keep the LDAP connection open between the two steps, a password change requires multiple binds/grace logins. This option is currently only evaluated in the code path where we explicitly check as part of the access control if the password is about to expired, e.g. when using an ssh key for authentication.

The current change affects the code path where we already get the information that the password is expired during authentication from the LDAP server, i.e. when authenticating with a password with auth_provider = ldap. In general checking the threshold value might be a good idea in this code path as well but I didn't want to add this here since the patch will most probably be backported and the option is a new feature. Additionally the check for the threshold wouldn't have helped here because there are no grace logins configured on the server side. So the password is expired without grace logins left. 389ds does not let the user change the password at this state since it requires that the passowrd change extended operation is send after an authenticated bind and since no grace logins are left this is not possible and an admin has to reset the password. It looks like OpenLDAP allows to run the password change exop under certain conditions (so far I wasn't able to figure out the exact details) without an authenticated bind. So even if the bind fails it would be ok for SSSD to continue and send the password change exop to change the password and the password change would be successful on the LDAP server side. This is what the new exop_force value is about.

HTH

bye,
Sumit

@justin-stephenson
Copy link
Contributor

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

Hi,

it is related but not the same. The threshold value should make sure that there are a sufficient number of grace logins left to properly change the password. Due to the nature of the two-step PAM flow for password changes and that we do not keep the LDAP connection open between the two steps, a password change requires multiple binds/grace logins. This option is currently only evaluated in the code path where we explicitly check as part of the access control if the password is about to expired, e.g. when using an ssh key for authentication.

The current change affects the code path where we already get the information that the password is expired during authentication from the LDAP server, i.e. when authenticating with a password with auth_provider = ldap. In general checking the threshold value might be a good idea in this code path as well but I didn't want to add this here since the patch will most probably be backported and the option is a new feature. Additionally the check for the threshold wouldn't have helped here because there are no grace logins configured on the server side. So the password is expired without grace logins left. 389ds does not let the user change the password at this state since it requires that the passowrd change extended operation is send after an authenticated bind and since no grace logins are left this is not possible and an admin has to reset the password. It looks like OpenLDAP allows to run the password change exop under certain conditions (so far I wasn't able to figure out the exact details) without an authenticated bind. So even if the bind fails it would be ok for SSSD to continue and send the password change exop to change the password and the password change would be successful on the LDAP server side. This is what the new exop_force value is about.

HTH

bye, Sumit

Thank you for the explanation, it makes sense to me now. Ack.

pbrezina
pbrezina requested changes Sep 26, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Sumit, would it be possible for you to write a system test? There are already few in test_ldap.py that tests "exop".

src/providers/ldap/sdap_async_connection.c Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
@sumit-bose
Copy link
Contributor Author

Hi Sumit, would it be possible for you to write a system test? There are already few in test_ldap.py that tests "exop".

Hi,

sure, I can add exop_force to the parameter list of the existing tests or are you thinking of something different?

bye,
Sumit

@pbrezina
Copy link
Member

That's one option, but that won't hit "grace logins exhausted", right? It might be better to add a new test for this case.

@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from b36e10d to 1467fe1 Compare September 27, 2024 15:01
@sumit-bose
Copy link
Contributor Author

That's one option, but that won't hit "grace logins exhausted", right? It might be better to add a new test for this case.

I added a test, please check if I followed all rules and used proper meta-data.

@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from 1467fe1 to 40897dc Compare September 27, 2024 16:51
pbrezina
pbrezina reviewed Sep 30, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry, I missed that this is only for OpenLDAP. We could add OpenLDAP instance to the containers and new topology that would run tests against it, do you think it is worth it? Otherwise, we can just drop this test, I suppose.

src/tests/system/tests/test_ldap.py Outdated Show resolved Hide resolved
@sumit-bose
Copy link
Contributor Author

I'm sorry, I missed that this is only for OpenLDAP. We could add OpenLDAP instance to the containers and new topology that would run tests against it, do you think it is worth it? Otherwise, we can just drop this test, I suppose.

Hi,

so far (after spending quite some time to find the right settings) I'm not able to reproduce the issue with OpenLDAP but I got logs which shows that OpenLDAP can be configured to act in this way (allow password change exop if no grace logins left and bind failed). Having a test which shows that SSSD will ask for a new password with exop_force is imo sufficient to test the SSSD code even if the actual change will fail.

So I think there is no need so far to add an OpenLDAP instance and if you agree we can keep the test.

bye,
Sumit

pbrezina
pbrezina requested changes Sep 30, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, ok, let's keep the test. But see some suggestions inline.

src/tests/system/tests/test_ldap.py Outdated Show resolved Hide resolved
@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from 40897dc to b7c640e Compare October 2, 2024 09:09
pbrezina
pbrezina requested changes Oct 2, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, this looks great.

Could you run black . and fix pep8 errors?

./tests/test_ldap.py:458:1: E302 expected 2 blank lines, found 1
./tests/test_ldap.py:461:25: E128 continuation line under-indented for visual indent

black is an autoformatter, that will format the code using pep8 rules.

@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from b7c640e to 7e16b79 Compare October 2, 2024 10:05
@sumit-bose
Copy link
Contributor Author

Thank you, this looks great.

Could you run black . and fix pep8 errors?

./tests/test_ldap.py:458:1: E302 expected 2 blank lines, found 1
./tests/test_ldap.py:461:25: E128 continuation line under-indented for visual indent

black is an autoformatter, that will format the code using pep8 rules.

Hi,

new version includes formatted code.

bye,
Sumit

pbrezina
pbrezina reviewed Oct 3, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack. Thank you for working on the test.

I have two minor comments, but you can ignore them if you want to. Let me know, I'll approve afterwards.

src/man/sssd-ldap.5.xml Show resolved Hide resolved
src/tests/system/tests/test_ldap.py Outdated Show resolved Hide resolved
@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from 7e16b79 to 8a8873f Compare October 4, 2024 13:46
@alexey-tikhonov
Copy link
Member

@sumit-bose, could you please add :config: release note?

@sumit-bose
ldap: add 'exop_force' value for ldap_pwmodify_mode
72a7fd0 
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.

:config: Added `exop_force` value for configuration option
  `ldap_pwmodify_mode`. This can be used to force a password change even
  if no grace logins are left. Depending on the configuration of the
  LDAP server it might be expected that the password change will fail.
@sumit-bose
tests: add 'expo_force' tests
7c8564c 
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.
@sumit-bose sumit-bose force-pushed the ldap_passwd_exop_bind branch from 8a8873f to 7c8564c Compare October 15, 2024 12:19
@alexey-tikhonov
Copy link
Member

Pushed PR: #7614

  • master
    • deefe9a - tests: add 'expo_force' tests
    • 7184541 - ldap: add 'exop_force' value for ldap_pwmodify_mode
  • sssd-2-10
    • e609bb6 - tests: add 'expo_force' tests
    • d523261 - ldap: add 'exop_force' value for ldap_pwmodify_mode

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Oct 15, 2024
edited
Loading

@sumit-bose,

Conflict in sssd-2-9

so please open explicit backport PR if C9S needs this.

I didn't check, maybe conflict was in the test only.

@sumit-bose
Copy link
Contributor Author

@sumit-bose,

Conflict in sssd-2-9

so please open explicit backport PR if C9S needs this.

I didn't check, maybe conflict was in the test only.

Hi,

no. it is mainly about missing ldap_use_ppolicy related patches. I opened #7645 which just the exop_force backport. If you think ldap_use_ppolicy should be backport as well I can add this as well.

bye,
Sumit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbrezina pbrezina pbrezina approved these changes

@justin-stephenson justin-stephenson justin-stephenson approved these changes

Assignees

@justin-stephenson justin-stephenson

@pbrezina pbrezina

Labels
branch: sssd-2-10 Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sumit-bose @justin-stephenson @pbrezina @alexey-tikhonov