Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.3.0
Component/s: ipa
Labels:

Fixed in Build:
ipa-4.11.0-1.el9
Regression:
None
Epic Link:
FREEIPA-10424

Pool Team:

sst_idm_ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
10
Internal Target Milestone:
12
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Preliminary Testing:
Pass
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/RHEL_IDM/workitem?id=IDM-300496
Testable Builds:
ipa-4.11.0-1.el9
Errata Link:
https://errata.devel.redhat.com/advisory/121880
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 2234481

PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

+++ This bug was initially created as a clone of Bug #2234480 +++

Description of problem:
Allowing idp-user-id modification with ipa user-mod after removing idp.

Version-Release number of selected component (if applicable):
ipa-server-4.10.2-4.el9.x86_64

Steps to Reproduce:
1. Modify user without --idp attribute ==== ipa user-mod fails as expected
(ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test)

2. Modify user with --idp attribute
(ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test)

3. Remove idp from server
(ipa idp-del MytestIdP)

4. Modify user without --idp attribute ==== ipa user-mod command succeed
(ipa user-mod idpuser1 --idp-user-id=newtest.domain.test)

Actual results:
ipa user-mod (Step 4) succeeded after IDP removed

Expected results:
Step 4 should report the error.

Additional info:

[root@master ~]# ipa user-show idpuser1
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

[root@master ~]# ipa idp-show MytestIdP
Identity Provider reference name: MytestIdP
Authorization URI: https://accounts.google.com/o/oauth2/auth
Device authorization URI: https://oauth2.googleapis.com/device/code
Token URI: https://oauth2.googleapis.com/token
User info URI: https://openidconnect.googleapis.com/v1/userinfo
JWKS URI: https://www.googleapis.com/oauth2/v3/certs
Client identifier: i1qawe23
Scope: openid email
External IdP user identifier attribute: email

1. Modify user without --idp attribute ==== ipa user-mod fails as expected

[root@master ~]# ipa user-mod idpuser1 --idp-user-id=new.mydomain2.test
ipa: ERROR: attribute "ipaIdpSub" not allowed

2. Modify user with --idp attribute

[root@master ~]# ipa user-mod idpuser1 --idp=MytestIdP --idp-user-id=new.mydomain2.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP configuration: MytestIdP
External IdP user identifier: new.mydomain2.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

3. Remove idp from server

[root@master ~]# ipa idp-del MytestIdP
-----------------------------------------------
Deleted Identity Provider reference "MytestIdP"
-----------------------------------------------

4. Modify user without --idp attribute ==== ipa user-mod command succeed

[root@master ~]# ipa user-mod idpuser1 --idp-user-id=newtest.domain.test
------------------------
Modified user "idpuser1"
------------------------
User login: idpuser1
First name: useridp
Last name: user
Home directory: /home/idpuser1
Login shell: /bin/sh
Principal name: idpuser1@IPADOMAIN.TEST
Principal alias: idpuser1@IPADOMAIN.TEST
Email address: idpuser1@ipadomain.test
UID: 1381800005
GID: 1381800005
External IdP user identifier: newtest.domain.test
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

is blocked by

RHEL-4965 Allowing idp-user-id modification with ipa user-mod after removing idp

Closed

external trackers

Fedora Pagure freeipa/issue/9433

PnT-DevOps Jira RHELPLAN-158746

Red Hat Issue Tracker FREEIPA-10306

Red Hat Issue Tracker RHELPLAN-166444

links to

RHBA-2023:121880 ipa bug fix and enhancement update

(1 links to)

Assignee:: Florence Renaud

Reporter:: Varun Mylaraiah

QA Contact:: Anuja More

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/09/18 11:11 PM

Updated:: 2024/05/29 5:47 PM

Resolved:: 2024/04/30 9:39 AM

Dev Target end:: 2023/11/06

Target end:: 2023/11/20

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Activity

People

Dates