this bug report is based on email conversation.
On 05/22/2013 11:31 PM, yi zhang wrote: > Hi: > I tried to change ipa user password to "5Class_ž7342" but it failed. HTTP error > log says "DatabaseError" > > 0. sudo tail -f /var/log/httpd/error_log & > 1. ipa group-add-member grp001 --users=testuser8237 > 2. ipa pwpolicy-add grp001 --maxfail=0 --failinterval=0 --lockouttime=0 > --minlength=0 --minclasses=0 --history=0 --minlife=0 --maxlife=9999 --priority=2 > 3. ipa passwd testuser8237 > > ====== actual outputs are below: ============= > [yi@f18b (F18-i386) temp] echo redhat123 | kinit testuser8237 > Password for testuser8237@YZHANG.REDHAT.COM: > [yi@f18b (F18-i386) temp] klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: testuser8237@YZHANG.REDHAT.COM > > Valid starting Expires Service principal > 08/31/13 14:23:33 09/01/13 14:23:33 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM > [yi@f18b (F18-i386) temp] ipa passwd testuser8237 > Current Password: > New Password: > Enter New Password again to verify: > [Sat Aug 31 14:24:01.364459 2013] [:error] [pid 11006] ipa: INFO: > testuser8237@YZHANG.REDHAT.COM: passwd(u'testuser8237@YZHANG.REDHAT.COM', > u'********', u'********', version=u'2.53'): SUCCESS > ----------------------------------------------------- > Changed password for "testuser8237@YZHANG.REDHAT.COM" > ----------------------------------------------------- > [yi@f18b (F18-i386) temp] echo Secret123_ | kinit testuser8237 > Password for testuser8237@YZHANG.REDHAT.COM: > [yi@f18b (F18-i386) temp] ipa passwd testuser8237 > Current Password: > New Password: > Enter New Password again to verify: > [Sat Aug 31 14:25:00.492294 2013] [:error] [pid 11007] ipa: INFO: > testuser8237@YZHANG.REDHAT.COM: passwd(u'testuser8237@YZHANG.REDHAT.COM', > u'********', u'********', version=u'2.53'): DatabaseError > ipa: ERROR: Constraint violation: Failed to update password > > =================================== > > > There used to be bug opened for 8bit-string as password problem. But they were > closed. I don't know when this becomes problem again. > > [yi@f18b (F18-i386) temp] rpm -qa | grep freeipa-server > freeipa-server-selinux-3.1.3-4.fc18.i686 > freeipa-server-3.1.3-4.fc18.i686 > > > Yi Hello Yi, Good catch! I was able to reproduce this issue also with Fedora 19. Interesting thing is that RHEL-6.4 IPA was able to change the password without any problems. One note at the start - "5Class_ž7342" is not really 8-bit password, it contains a unicode character 'ž'. I was able to track down this error to following call in ipa-pwd-extop plugin, function ipapwd_SetPassword(): ... /* let DS encode the password itself, this allows also other plugins to * intercept it to perform operations like synchronization with Active * Directory domains through the replication plugin */ slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "userPassword", data->password); ... This mods will later cause DS to return LDAP_CONSTRAINT_VIOLATION error later. I wonder, can this be related to the clear-text password handling improvements that were done some time back in the DS? Adding Noriko and Rich to CC. Martin
This change is rejected in the 7-bit check plugin. It can be fixed if userPassword attribute is removed from cn=7-bit check,cn=plugins,cn=config configuration (e.g. replaced with krbPrincipalName).
7-bit check
userPassword
cn=7-bit check,cn=plugins,cn=config
Relevant 389-ds patch for fixing it in default DS configuration: https://fedorahosted.org/389/ticket/47363
Moving to next month bucket.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=971024 (Fedora)
master: bcf8ab2[[BR]] ipa-3-2: b1cb3ad
Metadata Update from @yizhangid: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.