On ma, 18 maalis 2019, Mateusz O via FreeIPA-users wrote:
I read information from link and resigns from idea to block users to
viev information about other users.
About password issue.
I'm creating a new user which is in default 'ipausers' group and are not
assigned to any role.
When I log using new created account I can reset others password.
Uhm. I think you
need to show more details.
For example, I have IPA.TEST deployment where I use admin user to create
two other users: 'someuser' and 'anotheruser'. I set them passwords and
then try to reset a password for 'someuser' as 'anotheruser'. I get
denial for that because 'anotheruser' cannot change a password for
'someuser'. The same happens in web UI. The denial is reflected in the
LDAP server access log. It doesn't matter that someone can enter
something in a web UI form -- as long as you are not actually able to
change the account details where you shouldn't, it makes no difference
how you came to the change point.
bash-4.4# kdestroy
bash-4.4# kinit admin
Password for admin(a)IPA.TEST:
bash-4.4# ipa user-add someuser
First name: Some
Last name: User
---------------------
Added user "someuser"
---------------------
User login: someuser
First name: Some
Last name: User
Full name: Some User
Display name: Some User
Initials: SU
Home directory: /home/someuser
GECOS: Some User
Login shell: /bin/sh
Principal name: someuser(a)IPA.TEST
Principal alias: someuser(a)IPA.TEST
Email address: someuser(a)ipa.test
UID: 1811400001
GID: 1811400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
bash-4.4# ipa passwd someuser
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "someuser(a)IPA.TEST"
----------------------------------------
bash-4.4# ipa user-add anotheruser
First name: Another
Last name: User
------------------------
Added user "anotheruser"
------------------------
User login: anotheruser
First name: Another
Last name: User
Full name: Another User
Display name: Another User
Initials: AU
Home directory: /home/anotheruser
GECOS: Another User
Login shell: /bin/sh
Principal name: anotheruser(a)IPA.TEST
Principal alias: anotheruser(a)IPA.TEST
Email address: anotheruser(a)ipa.test
UID: 1811400003
GID: 1811400003
Password: False
Member of groups: ipausers
Kerberos keys available: False
bash-4.4# ipa passwd anotheruser
New Password:
Enter New Password again to verify:
-------------------------------------------
Changed password for "anotheruser(a)IPA.TEST"
-------------------------------------------
bash-4.4# kdestroy
bash-4.4# kinit anotheruser
Password for anotheruser(a)IPA.TEST:
Password expired. You must change it now.
Enter new password:
Enter it again:
bash-4.4# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: anotheruser(a)IPA.TEST
Valid starting Expires Service principal
03/18/19 10:46:40 03/19/19 10:46:40 krbtgt/IPA.TEST(a)IPA.TEST
bash-4.4# ipa passwd someuser
New Password:
Enter New Password again to verify:
ipa: ERROR: Insufficient access: Insufficient access rights
In the access logs (/var/log/dirsrv/slapd-<INSTANCE>/access) for LDAP
server I see the whole sequence for the last 'ipa passwd someuser'
operation:
[18/Mar/2019:10:46:58.591696828 +0000] conn=380 op=0 BIND dn="" method=sasl
version=3 mech=GSS-SPNEGO
[18/Mar/2019:10:46:58.604926385 +0000] conn=380 op=0 RESULT err=0 tag=97 nentries=0
etime=0.0013438281 dn="uid=anotheruser,cn=users,cn=accounts,dc=ipa,dc=test"
[18/Mar/2019:10:46:58.609801432 +0000] conn=380 op=1 SRCH
base="cn=ipaconfig,cn=etc,dc=ipa,dc=test" scope=0
filter="(objectClass=*)" attrs=ALL
[18/Mar/2019:10:46:58.611001189 +0000] conn=380 op=1 RESULT err=0 tag=101 nentries=1
etime=0.0001376879
[18/Mar/2019:10:46:58.613015017 +0000] conn=380 op=2 SRCH
base="cn=users,cn=accounts,dc=ipa,dc=test" scope=2
filter="(&(krbPrincipalName=someuser(a)IPA.TEST)(objectClass=posixaccount))"
attrs=""
[18/Mar/2019:10:46:58.613522708 +0000] conn=380 op=2 RESULT err=0 tag=101 nentries=1
etime=0.0000660001
[18/Mar/2019:10:46:58.614403297 +0000] conn=380 op=3 EXT
oid="1.3.6.1.4.1.4203.1.11.1" name="IPA Password Manager"
[18/Mar/2019:10:46:58.615899244 +0000] conn=380 op=3 RESULT err=50 tag=120 nentries=0
etime=0.0001635916
[18/Mar/2019:10:46:58.620618391 +0000] conn=380 op=4 UNBIND
[18/Mar/2019:10:46:58.620681680 +0000] conn=380 op=4 fd=110 closed - U1
Operation 3 (lines with op=3) is an attempt to change the password and
it fails (err=50, Insufficient access rights).
What do you see?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland