Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4965

Allowing idp-user-id modification with ipa user-mod after removing idp

    • ipa-4.9.13-1.module+el8.10.0+20723+03062ebd
    • None
    • None
    • 2
    • sst_idm_ipa
    • ssg_idm
    • 13
    • 16
    • 3
    • False
    • Hide

      None

      Show
      None
    • No
    • 2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6
    • If docs needed, set a value
    • None

      Description of problem:
      Allowing idp-user-id modification with ipa user-mod after removing idp.

      Version-Release number of selected component (if applicable):
      ipa-server-4.9.12-7

      Steps to Reproduce:
      1. Modify user without --idp attribute ==== ipa user-mod fails as expected
      (ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test)

      2. Modify user with --idp attribute
      (ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test)

      3. Remove idp from server
      (ipa idp-del MytestIdP)

      4. Modify user without --idp attribute ==== ipa user-mod command succeed
      (ipa user-mod idpuser1 --idp-user-id=newtest.domain.test)

      Actual results:
      ipa user-mod (Step 4) succeeded after IDP removed

      Expected results:
      Step 4 should report the error.

      Additional info:

      [root@master ~]# ipa user-show idpuser1
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

      [root@master ~]# ipa idp-show MytestIdP
      Identity Provider reference name: MytestIdP
      Authorization URI: https://accounts.google.com/o/oauth2/auth
      Device authorization URI: https://oauth2.googleapis.com/device/code
      Token URI: https://oauth2.googleapis.com/token
      User info URI: https://openidconnect.googleapis.com/v1/userinfo
      JWKS URI: https://www.googleapis.com/oauth2/v3/certs
      Client identifier: i1qawe23
      Scope: openid email
      External IdP user identifier attribute: email

      • 1. Modify user without --idp attribute ==== ipa user-mod fails as expected

      [root@master ~]# ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test
      ipa: ERROR: attribute "ipaIdpSub" not allowed

      • 2. Modify user with --idp attribute

      [root@master ~]# ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test
      ------------------------
      Modified user "idpuser1"
      ------------------------
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      External IdP configuration: MytestIdP
      External IdP user identifier: new.mydomain2.test
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

      • 3. Remove idp from server

      [root@master ~]# ipa idp-del MytestIdP
      -----------------------------------------------
      Deleted Identity Provider reference "MytestIdP"
      -----------------------------------------------

      • 4. Modify user without --idp attribute ==== ipa user-mod command succeed

      [root@master ~]# ipa user-mod idpuser1 --idp-user-id=newtest.domain.test
      ------------------------
      Modified user "idpuser1"
      ------------------------
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      External IdP user identifier: newtest.domain.test
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

            frenaud@redhat.com Florence Renaud
            mvarun@redhat.com Varun Mylaraiah
            Florence Renaud Florence Renaud
            Michal Polovka Michal Polovka
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: