From eaeb45660aa05e71a937572f026bd9fed1e80dcb Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Feb 22 2019 12:09:21 +0000 Subject: Design Document: Change password without Password Modify Extended Operation --- diff --git a/design_pages/chpass_without_exop.rst b/design_pages/chpass_without_exop.rst new file mode 100644 index 0000000..d216daa --- /dev/null +++ b/design_pages/chpass_without_exop.rst @@ -0,0 +1,77 @@ +.. highlight:: none + +Change password on LDAP server that does not support Password Mofify Extended Operation +======================================================================================= + +Related ticket(s): +------------------ + https://pagure.io/SSSD/sssd/issue/1314 + + +Problem statement +----------------- +Some directory servers either do not support Password Modify Extended Operation +(OID 1.3.6.1.4.1.4203.1.11.1, RFC 3062) for password change or this feature is +disabled by default. SSSD is unable to perform password change on such servers. +Even though we recommend to upgrade to servers that supports this feature, +there are still users that will benefit from SSSD being able to change +password without it. + +Two example servers are IBM Tivoli Directory Server that does not support +this operation and Oracle Directory Server that may not have it enabled +by default. + +Use cases +--------- + * A user wants to change his/her password against LDAP that does not support + Password Modify Extended Operation. + +Overview of the solution +------------------------ +Provide new configuration option ``ldap_pwmodify_mode``. This option can be +set to one of two values: ``exop``, ``ldap_modify`` having ``exop`` to be the +default value. This will give us the ability to extend SSSD with another method +for password change in the future if it is ever needed. + +If this option is set to ``exop`` then SSSD use Password Modify extended +operation to change the password as it does now. If the value is ``ldap_modify`` +then ldap_modify operation will be used to change the password. + +Even though the ldap_modify operation uses a plain text password, the servers +typically hashes the userPassword attribute. + +`Quote from IBM Tivoli DS documentation `_: +"After the server is configured, any new passwords (for new +users) or modified passwords (for existing users) are encrypted before +they are stored in the directory database. Subsequent LDAP searches will +return a tagged and encrypted value." + +Implementation details +---------------------- +When a password change is requested, ``sdap_pam_chpass_handler_send`` is called. +This request first authenticates the user with current password and then in +``sdap_pam_chpass_handler_auth_done`` tries to change it with extended operation +by calling ``sdap_exop_modify_passwd_send``. At this point we should check +the value of ``ldap_pwmodify_exop`` option and decide whether to continue with +extended operation or use ``ldap_modify_ext`` instead. + +Both operations use the connection that verified the current password not +connection that is used for ID lookups. Therefore the user that wants to change +his/her password must be allowed to write to the userPassword attribute of +their object. + +Information on how to change the password using simple LDAP modify operation +can be found `here `_ + +Configuration changes +--------------------- +* New option: ``ldap_pwmodify_mode`` with possible values ``exop`` (default) + and ``ldap_modify``. + +How To Test +----------- +* Set ``ldap_pwmodify_mode`` to ``ldap_modify`` and try to change user's password. + +Authors +------- + * Pavel Březina diff --git a/design_pages/index.rst b/design_pages/index.rst index e616db9..cf457d7 100644 --- a/design_pages/index.rst +++ b/design_pages/index.rst @@ -37,6 +37,7 @@ Implemented in 1.16.x attestation_report kdcinfo_improvements posix_attrs_detection + chpass_without_exop.rst Implemented in 1.15.x ---------------------