-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.3.0
-
ipa-4.11.0-1.el9
-
None
-
None
-
sst_idm_ipa
-
ssg_idm
-
10
-
12
-
None
-
False
-
-
No
-
None
-
Pass
-
ipa-4.11.0-1.el9
-
Automated
-
Release Note Not Required
-
-
x86_64
-
None
+++ This bug was initially created as a clone of Bug #2234480 +++
Description of problem:
Allowing idp-user-id modification with ipa user-mod after removing idp.
Version-Release number of selected component (if applicable):
ipa-server-4.10.2-4.el9.x86_64
Steps to Reproduce:
1. Modify user without --idp attribute ==== ipa user-mod fails as expected
(ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test)
2. Modify user with --idp attribute
(ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test)
3. Remove idp from server
(ipa idp-del MytestIdP)
4. Modify user without --idp attribute ==== ipa user-mod command succeed
(ipa user-mod idpuser1 --idp-user-id=newtest.domain.test)
Actual results:
ipa user-mod (Step 4) succeeded after IDP removed
Expected results:
Step 4 should report the error.
Additional info:
[root@master ~]# ipa user-show idpuser1
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa idp-show MytestIdP
Identity Provider reference name: MytestIdP
Authorization URI: https://accounts.google.com/o/oauth2/auth
Device authorization URI: https://oauth2.googleapis.com/device/code
Token URI: https://oauth2.googleapis.com/token
User info URI: https://openidconnect.googleapis.com/v1/userinfo
JWKS URI: https://www.googleapis.com/oauth2/v3/certs
Client identifier: i1qawe23
Scope: openid email
External IdP user identifier attribute: email
- 1. Modify user without --idp attribute ==== ipa user-mod fails as expected
[root@master ~]# ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test
ipa: ERROR: attribute "ipaIdpSub" not allowed
- 2. Modify user with --idp attribute
[root@master ~]# ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP configuration: MytestIdP
External IdP user identifier: new.mydomain2.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
- 3. Remove idp from server
[root@master ~]# ipa idp-del MytestIdP
-----------------------------------------------
Deleted Identity Provider reference "MytestIdP"
-----------------------------------------------
- 4. Modify user without --idp attribute ==== ipa user-mod command succeed
[root@master ~]# ipa user-mod idpuser1 --idp-user-id=newtest.domain.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP user identifier: newtest.domain.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
- is blocked by
-
RHEL-4965 Allowing idp-user-id modification with ipa user-mod after removing idp
- Closed
- external trackers
- links to
-
RHBA-2023:121880 ipa bug fix and enhancement update