Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4966

Allowing idp-user-id modification with ipa user-mod after removing idp

    • ipa-4.11.0-1.el9
    • None
    • None
    • sst_idm_ipa
    • ssg_idm
    • 10
    • 12
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Release Note Not Required
    • None

      +++ This bug was initially created as a clone of Bug #2234480 +++

      Description of problem:
      Allowing idp-user-id modification with ipa user-mod after removing idp.

      Version-Release number of selected component (if applicable):
      ipa-server-4.10.2-4.el9.x86_64

      Steps to Reproduce:
      1. Modify user without --idp attribute ==== ipa user-mod fails as expected
      (ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test)

      2. Modify user with --idp attribute
      (ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test)

      3. Remove idp from server
      (ipa idp-del MytestIdP)

      4. Modify user without --idp attribute ==== ipa user-mod command succeed
      (ipa user-mod idpuser1 --idp-user-id=newtest.domain.test)

      Actual results:
      ipa user-mod (Step 4) succeeded after IDP removed

      Expected results:
      Step 4 should report the error.

      Additional info:

      [root@master ~]# ipa user-show idpuser1
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

      [root@master ~]# ipa idp-show MytestIdP
      Identity Provider reference name: MytestIdP
      Authorization URI: https://accounts.google.com/o/oauth2/auth
      Device authorization URI: https://oauth2.googleapis.com/device/code
      Token URI: https://oauth2.googleapis.com/token
      User info URI: https://openidconnect.googleapis.com/v1/userinfo
      JWKS URI: https://www.googleapis.com/oauth2/v3/certs
      Client identifier: i1qawe23
      Scope: openid email
      External IdP user identifier attribute: email

      • 1. Modify user without --idp attribute ==== ipa user-mod fails as expected

      [root@master ~]# ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test
      ipa: ERROR: attribute "ipaIdpSub" not allowed

      • 2. Modify user with --idp attribute

      [root@master ~]# ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test
      ------------------------
      Modified user "idpuser1"
      ------------------------
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      External IdP configuration: MytestIdP
      External IdP user identifier: new.mydomain2.test
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

      • 3. Remove idp from server

      [root@master ~]# ipa idp-del MytestIdP
      -----------------------------------------------
      Deleted Identity Provider reference "MytestIdP"
      -----------------------------------------------

      • 4. Modify user without --idp attribute ==== ipa user-mod command succeed

      [root@master ~]# ipa user-mod idpuser1 --idp-user-id=newtest.domain.test
      ------------------------
      Modified user "idpuser1"
      ------------------------
      User login: idpuser1
      First name: useridp
      Last name: user
      Home directory: /home/idpuser1
      Login shell: /bin/sh
      Principal name: idpuser1@IPADOMAIN.TEST
      Principal alias: idpuser1@IPADOMAIN.TEST
      Email address: idpuser1@ipadomain.test
      UID: 1381800005
      GID: 1381800005
      External IdP user identifier: newtest.domain.test
      Account disabled: False
      Password: False
      Member of groups: ipausers
      Kerberos keys available: False

            frenaud@redhat.com Florence Renaud
            mvarun@redhat.com Varun Mylaraiah
            Anuja More Anuja More
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: