-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-8.9.0
-
ipa-4.9.13-1.module+el8.10.0+20723+03062ebd
-
None
-
None
-
2
-
sst_idm_ipa
-
ssg_idm
-
13
-
16
-
3
-
False
-
-
No
-
2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
Allowing idp-user-id modification with ipa user-mod after removing idp.
Version-Release number of selected component (if applicable):
ipa-server-4.9.12-7
Steps to Reproduce:
1. Modify user without --idp attribute ==== ipa user-mod fails as expected
(ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test)
2. Modify user with --idp attribute
(ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test)
3. Remove idp from server
(ipa idp-del MytestIdP)
4. Modify user without --idp attribute ==== ipa user-mod command succeed
(ipa user-mod idpuser1 --idp-user-id=newtest.domain.test)
Actual results:
ipa user-mod (Step 4) succeeded after IDP removed
Expected results:
Step 4 should report the error.
Additional info:
[root@master ~]# ipa user-show idpuser1
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa idp-show MytestIdP
Identity Provider reference name: MytestIdP
Authorization URI: https://accounts.google.com/o/oauth2/auth
Device authorization URI: https://oauth2.googleapis.com/device/code
Token URI: https://oauth2.googleapis.com/token
User info URI: https://openidconnect.googleapis.com/v1/userinfo
JWKS URI: https://www.googleapis.com/oauth2/v3/certs
Client identifier: i1qawe23
Scope: openid email
External IdP user identifier attribute: email
- 1. Modify user without --idp attribute ==== ipa user-mod fails as expected
[root@master ~]# ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test
ipa: ERROR: attribute "ipaIdpSub" not allowed
- 2. Modify user with --idp attribute
[root@master ~]# ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP configuration: MytestIdP
External IdP user identifier: new.mydomain2.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
- 3. Remove idp from server
[root@master ~]# ipa idp-del MytestIdP
-----------------------------------------------
Deleted Identity Provider reference "MytestIdP"
-----------------------------------------------
- 4. Modify user without --idp attribute ==== ipa user-mod command succeed
[root@master ~]# ipa user-mod idpuser1 --idp-user-id=newtest.domain.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP user identifier: newtest.domain.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
- blocks
-
-
- Closed
-
- external trackers
- links to
-
RHBA-2023:125343
idm:client and idm:DL1 bug fix and enhancement update