Issue #6437: Duplicate uid in stage user disables active account. - freeipa

freeipa

#6437 Duplicate uid in stage user disables active account.

Opened 7 years ago by neffs. Modified 7 years ago

If a staging user is created with the same UID as an existing user, the existing user will essentially be locked out as long as the staging user exists.

As stated in #5186 there is no check for uniqueness by design which makes this very problematic.

To verify (checked on demo instance with IPA 4.4.2 and on 4.2.0):

create account testuser
login as testuser and set password via Web UI
create testuser in staging
login again as testuser

pspacek commented 7 years ago

This could be worked around in KDB driver. We could add filter like this

(&(!(cn:dn:=provisioning))(... original filter ...))

to prevent KDB from finding staged entries.

The problem of this approach is that all callers doing LDAP searches need to use this filter. I doubt that there is a better way because KDB is bound as Directory Manager, so no ACI magic could help.

tbordaz commented 7 years ago

Having created two active users tb1 and tb2 - and two stage users tb1 and tb2

Authentication retrieves the two (stage/active) users

[07/Nov/2016:17:31:49.252404147 +0100] conn=105 op=3 SRCH base="<suffix>" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=tb1@<domain>)(krbPrincipalName=tb2@<domain>)))" attrs="distinguishedName"
[07/Nov/2016:17:31:49.256221869 +0100] conn=105 op=3 RESULT err=0 tag=101 nentries=2 etime=0

An other possibility is to add the nsaccountlock test

ldapsearch -LLL -Y GSSAPI -b "<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(!(nsaccountlock=True))(krbPrincipalName=tb1@<realm>))" dn
dn: uid=tb1,cn=users,cn=accounts,<suffix>

ldapsearch -LLL -Y GSSAPI -b "<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(!(nsaccountlock=True))(krbPrincipalName=tb2@<domain>))" dn
dn: uid=tb2,cn=users,cn=accounts,<suffix>

ldapsearch -LLL -Y GSSAPI -b "dc=<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(!(nsaccountlock=True))(|(ipaKrbPrincipalAlias=tb1@<domain>)(krbPrincipalName=tb1@<domain>)))" dn                                  
dn: uid=tb1,cn=users,cn=accounts,<suffix>

ldapsearch -LLL -Y GSSAPI -b "dc=<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(!(nsaccountlock=True))(|(ipaKrbPrincipalAlias=tb2@<domain>)(krbPrincipalName=tb2@<domain>)))" dn
dn: uid=tb2,cn=users,cn=accounts,<suffix>

Metadata Update from @neffs:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

None

freeipa

Source Code

#6437 Duplicate uid in stage user disables active account. Opened 7 years ago by neffs. Modified 7 years ago

Close issue as:

Metadata

#6437 Duplicate uid in stage user disables active account.

Opened 7 years ago by neffs. Modified 7 years ago