| |
@@ -0,0 +1,77 @@
|
| |
+ .. highlight:: none
|
| |
+
|
| |
+ Change password on LDAP server that does not support Password Mofify Extended Operation
|
| |
+ =======================================================================================
|
| |
+
|
| |
+ Related ticket(s):
|
| |
+ ------------------
|
| |
+ https://pagure.io/SSSD/sssd/issue/1314
|
| |
+
|
| |
+
|
| |
+ Problem statement
|
| |
+ -----------------
|
| |
+ Some directory servers either do not support Password Modify Extended Operation
|
| |
+ (OID 1.3.6.1.4.1.4203.1.11.1, RFC 3062) for password change or this feature is
|
| |
+ disabled by default. SSSD is unable to perform password change on such servers.
|
| |
+ Even though we recommend to upgrade to servers that supports this feature,
|
| |
+ there are still users that will benefit from SSSD being able to change
|
| |
+ password without it.
|
| |
+
|
| |
+ Two example servers are IBM Tivoli Directory Server that does not support
|
| |
+ this operation and Oracle Directory Server that may not have it enabled
|
| |
+ by default.
|
| |
+
|
| |
+ Use cases
|
| |
+ ---------
|
| |
+ * A user wants to change his/her password against LDAP that does not support
|
| |
+ Password Modify Extended Operation.
|
| |
+
|
| |
+ Overview of the solution
|
| |
+ ------------------------
|
| |
+ Provide new configuration option ``ldap_pwmodify_mode``. This option can be
|
| |
+ set to one of two values: ``exop``, ``ldap_modify`` having ``exop`` to be the
|
| |
+ default value. This will give us the ability to extend SSSD with another method
|
| |
+ for password change in the future if it is ever needed.
|
| |
+
|
| |
+ If this option is set to ``exop`` then SSSD use Password Modify extended
|
| |
+ operation to change the password as it does now. If the value is ``ldap_modify``
|
| |
+ then ldap_modify operation will be used to change the password.
|
| |
+
|
| |
+ Even though the ldap_modify operation uses a plain text password, the servers
|
| |
+ typically hashes the userPassword attribute.
|
| |
+
|
| |
+ `Quote from IBM Tivoli DS documentation <https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzahy/rzahypwdencrypt.htm>`_:
|
| |
+ "After the server is configured, any new passwords (for new
|
| |
+ users) or modified passwords (for existing users) are encrypted before
|
| |
+ they are stored in the directory database. Subsequent LDAP searches will
|
| |
+ return a tagged and encrypted value."
|
| |
+
|
| |
+ Implementation details
|
| |
+ ----------------------
|
| |
+ When a password change is requested, ``sdap_pam_chpass_handler_send`` is called.
|
| |
+ This request first authenticates the user with current password and then in
|
| |
+ ``sdap_pam_chpass_handler_auth_done`` tries to change it with extended operation
|
| |
+ by calling ``sdap_exop_modify_passwd_send``. At this point we should check
|
| |
+ the value of ``ldap_pwmodify_exop`` option and decide whether to continue with
|
| |
+ extended operation or use ``ldap_modify_ext`` instead.
|
| |
+
|
| |
+ Both operations use the connection that verified the current password not
|
| |
+ connection that is used for ID lookups. Therefore the user that wants to change
|
| |
+ his/her password must be allowed to write to the userPassword attribute of
|
| |
+ their object.
|
| |
+
|
| |
+ Information on how to change the password using simple LDAP modify operation
|
| |
+ can be found `here <https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd202.htm>`_
|
| |
+
|
| |
+ Configuration changes
|
| |
+ ---------------------
|
| |
+ * New option: ``ldap_pwmodify_mode`` with possible values ``exop`` (default)
|
| |
+ and ``ldap_modify``.
|
| |
+
|
| |
+ How To Test
|
| |
+ -----------
|
| |
+ * Set ``ldap_pwmodify_mode`` to ``ldap_modify`` and try to change user's password.
|
| |
+
|
| |
+ Authors
|
| |
+ -------
|
| |
+ * Pavel Březina <pbrezina@redhat.com>
|
| |