Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap: add 'exop_force' value for ldap_pwmodify_mode #7614

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

ldap: add 'exop_force' value for ldap_pwmodify_mode #7614

wants to merge 2 commits into from
+97 −15

Conversation

sumit-bose
Copy link
Contributor

In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.

@sumit-bose sumit-bose added the backport-to-stable Targets also latest stable branch label Sep 23, 2024
@justin-stephenson
Copy link
Contributor

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

@sumit-bose
Copy link
Contributor Author

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

Hi,

it is related but not the same. The threshold value should make sure that there are a sufficient number of grace logins left to properly change the password. Due to the nature of the two-step PAM flow for password changes and that we do not keep the LDAP connection open between the two steps, a password change requires multiple binds/grace logins. This option is currently only evaluated in the code path where we explicitly check as part of the access control if the password is about to expired, e.g. when using an ssh key for authentication.

The current change affects the code path where we already get the information that the password is expired during authentication from the LDAP server, i.e. when authenticating with a password with auth_provider = ldap. In general checking the threshold value might be a good idea in this code path as well but I didn't want to add this here since the patch will most probably be backported and the option is a new feature. Additionally the check for the threshold wouldn't have helped here because there are no grace logins configured on the server side. So the password is expired without grace logins left. 389ds does not let the user change the password at this state since it requires that the passowrd change extended operation is send after an authenticated bind and since no grace logins are left this is not possible and an admin has to reset the password. It looks like OpenLDAP allows to run the password change exop under certain conditions (so far I wasn't able to figure out the exact details) without an authenticated bind. So even if the bind fails it would be ok for SSSD to continue and send the password change exop to change the password and the password change would be successful on the LDAP server side. This is what the new exop_force value is about.

HTH

bye,
Sumit

@justin-stephenson
Copy link
Contributor

Sorry for the ignorant question, but how does this differ from SDAP_PPOLICY_PWD_CHANGE_THRESHOLD in https://github.com/SSSD/sssd/blob/master/src/providers/ldap/ldap_auth.c#L243-L249 ?

Hi,

it is related but not the same. The threshold value should make sure that there are a sufficient number of grace logins left to properly change the password. Due to the nature of the two-step PAM flow for password changes and that we do not keep the LDAP connection open between the two steps, a password change requires multiple binds/grace logins. This option is currently only evaluated in the code path where we explicitly check as part of the access control if the password is about to expired, e.g. when using an ssh key for authentication.

The current change affects the code path where we already get the information that the password is expired during authentication from the LDAP server, i.e. when authenticating with a password with auth_provider = ldap. In general checking the threshold value might be a good idea in this code path as well but I didn't want to add this here since the patch will most probably be backported and the option is a new feature. Additionally the check for the threshold wouldn't have helped here because there are no grace logins configured on the server side. So the password is expired without grace logins left. 389ds does not let the user change the password at this state since it requires that the passowrd change extended operation is send after an authenticated bind and since no grace logins are left this is not possible and an admin has to reset the password. It looks like OpenLDAP allows to run the password change exop under certain conditions (so far I wasn't able to figure out the exact details) without an authenticated bind. So even if the bind fails it would be ok for SSSD to continue and send the password change exop to change the password and the password change would be successful on the LDAP server side. This is what the new exop_force value is about.

HTH

bye, Sumit

Thank you for the explanation, it makes sense to me now. Ack.

pbrezina
pbrezina requested changes Sep 26, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Sumit, would it be possible for you to write a system test? There are already few in test_ldap.py that tests "exop".

src/providers/ldap/sdap_async_connection.c Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
src/providers/ldap/sdap_async_connection.c Outdated Show resolved Hide resolved
@sumit-bose
Copy link
Contributor Author

Hi Sumit, would it be possible for you to write a system test? There are already few in test_ldap.py that tests "exop".

Hi,

sure, I can add exop_force to the parameter list of the existing tests or are you thinking of something different?

bye,
Sumit

@pbrezina
Copy link
Member

That's one option, but that won't hit "grace logins exhausted", right? It might be better to add a new test for this case.

@sumit-bose
Copy link
Contributor Author

That's one option, but that won't hit "grace logins exhausted", right? It might be better to add a new test for this case.

I added a test, please check if I followed all rules and used proper meta-data.

pbrezina
pbrezina reviewed Sep 30, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry, I missed that this is only for OpenLDAP. We could add OpenLDAP instance to the containers and new topology that would run tests against it, do you think it is worth it? Otherwise, we can just drop this test, I suppose.

src/tests/system/tests/test_ldap.py Outdated Show resolved Hide resolved
@sumit-bose
Copy link
Contributor Author

I'm sorry, I missed that this is only for OpenLDAP. We could add OpenLDAP instance to the containers and new topology that would run tests against it, do you think it is worth it? Otherwise, we can just drop this test, I suppose.

Hi,

so far (after spending quite some time to find the right settings) I'm not able to reproduce the issue with OpenLDAP but I got logs which shows that OpenLDAP can be configured to act in this way (allow password change exop if no grace logins left and bind failed). Having a test which shows that SSSD will ask for a new password with exop_force is imo sufficient to test the SSSD code even if the actual change will fail.

So I think there is no need so far to add an OpenLDAP instance and if you agree we can keep the test.

bye,
Sumit

pbrezina
pbrezina requested changes Sep 30, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, ok, let's keep the test. But see some suggestions inline.

src/tests/system/tests/test_ldap.py Outdated Show resolved Hide resolved
@sumit-bose
ldap: add 'exop_force' value for ldap_pwmodify_mode
0e061bf 
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.
pbrezina
pbrezina requested changes Oct 2, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, this looks great.

Could you run black . and fix pep8 errors?

./tests/test_ldap.py:458:1: E302 expected 2 blank lines, found 1
./tests/test_ldap.py:461:25: E128 continuation line under-indented for visual indent

black is an autoformatter, that will format the code using pep8 rules.

@sumit-bose
tests: add 'expo_force' tests
7e16b79 
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.
@sumit-bose
Copy link
Contributor Author

Thank you, this looks great.

Could you run black . and fix pep8 errors?

./tests/test_ldap.py:458:1: E302 expected 2 blank lines, found 1
./tests/test_ldap.py:461:25: E128 continuation line under-indented for visual indent

black is an autoformatter, that will format the code using pep8 rules.

Hi,

new version includes formatted code.

bye,
Sumit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbrezina pbrezina pbrezina requested changes

@justin-stephenson justin-stephenson justin-stephenson approved these changes

Assignees

@justin-stephenson justin-stephenson

@pbrezina pbrezina

Labels
backport-to-stable Targets also latest stable branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sumit-bose @justin-stephenson @pbrezina