Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.2
Affects Version/s: None
Component/s: ipa
Labels:
- fixed_upstream
- upstream-in-progress

Fixed in Build:
ipa-4.12.2-27.el10
Severity:
None
Epic Link:
IDM-1850
sprint_count:
1

AssignedTeam:
rhel-idm-ipa

Dev Target Milestone:
13
Internal Target Milestone:
15
Story Points:
1
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
IPA: RHELs for 10.2 and 9.8

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/154934
Test Coverage:

Automated

Release Note Type:
Feature
Release Note Text:

Hide
Feature, enhancement: LDAP system accounts
IdM now provides the ability to configure external password reset agents

Reason: When integrating IdM with external applications that do not support kerberos authentication, it is now possible to define a system account for the external application that may be granted password reset privileges and authenticates using LDAP.

Result: External applications can now integrate their own secure password reset solutions with IdM

Show
Feature, enhancement: LDAP system accounts IdM now provides the ability to configure external password reset agents Reason: When integrating IdM with external applications that do not support kerberos authentication, it is now possible to define a system account for the external application that may be granted password reset privileges and authenticates using LDAP. Result: External applications can now integrate their own secure password reset solutions with IdM
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Goal

As an IdM administrator, I want to configure external password reset agents (e.g., CyberArk) to use the ipa_pwd_extop mechanism, so that privileged password resets can be performed securely without forcing users to change their password at next login

Acceptance criteria

Verify that an external agent can authenticate with a privileged DN.
Verify that the agent can reset a user’s password using ipa_pwd_extop.
Verify that the user is not forced to reset their password upon next login.
Verify that audit/logging records the reset action.
Verify that documentation clearly explains setup and security best practices.

links to

freeipa pagure 9842

RHSA-2025:154934 ipa security update

Assignee:: Florence Renaud

Reporter:: Francisco Trivino Garcia

Developer:: Florence Renaud

QA Contact:: Anuja More

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2025/08/20 10:51 AM

Updated:: 2025/12/15 8:37 AM

Dev Target end:: 2025/11/24

Target end:: 2025/12/08

Next Planned Release Date:: 2026/05/12

Details

Description

Goal

Acceptance criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates