Back to bug 1320715
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Amy Farley | 2016-03-23 19:41:08 UTC | CC | afarley | |
| Nathan Kinder | 2016-03-23 19:44:13 UTC | Priority | unspecified | high |
| Severity | unspecified | high | ||
| Marc Sauton | 2016-03-23 19:55:42 UTC | Priority | high | urgent |
| CC | msauton | |||
| Hardware | Unspecified | All | ||
| OS | Unspecified | Linux | ||
| Severity | high | urgent | ||
| Noriko Hosoi | 2016-03-24 22:51:34 UTC | Status | NEW | POST |
| CC | batkisso | |||
| Flags | needinfo?(batkisso) | |||
| Noriko Hosoi | 2016-03-28 17:21:19 UTC | Status | POST | MODIFIED |
| Marcel Kolaja | 2016-03-29 10:37:19 UTC | Blocks | 1321891 | |
| Marcel Kolaja | 2016-03-29 10:37:43 UTC | Keywords | ZStream | |
| German Parente | 2016-03-29 18:32:50 UTC | CC | gparente | |
| Noriko Hosoi | 2016-03-31 01:55:05 UTC | Doc Text | Cause: Reversible Password Plugin used to use DES for the encryption. It had been switched to AES. In the upgrade from rhel-7.1 to 7.2, 389-ds-base upgrade converts the DES encrpted password to the AES encrpted one. The process of converting DES passwords to AES can incorrectly disable the DES plugin if an error is encountered. In this case it was because a backend was defined but was missing the top entry which lead to an error 32 when searching for DES passwords. Consequence: This causes the existing DES passwords to fail to decode. Fix: There are two issues here. One, we should ignore errors when searching all the backends for passwords. Two, we should only disable the DES plugin if all the DES passwords were successfully converted. Result: Even if there is an empty backend, the conversion does not fail. Even if the conversion fails for any other reasons, the DES plugin is not disabled so that the not converted passwords are successfully decrypted. |
|
| Brian J. Atkisson | 2016-04-18 12:49:59 UTC | Flags | needinfo?(batkisso) | |
| Noriko Hosoi | 2016-05-04 19:27:38 UTC | Fixed In Version | 389-ds-base-1.3.5.2-1.el7 | |
| errata-xmlrpc | 2016-05-04 20:09:07 UTC | Status | MODIFIED | ON_QA |
| Punit Kundal | 2016-07-12 09:07:30 UTC | Status | ON_QA | VERIFIED |
| CC | pkundal | |||
| Petr Bokoc | 2016-07-26 14:38:56 UTC | CC | pbokoc | |
| Doc Text | Cause: Reversible Password Plugin used to use DES for the encryption. It had been switched to AES. In the upgrade from rhel-7.1 to 7.2, 389-ds-base upgrade converts the DES encrpted password to the AES encrpted one. The process of converting DES passwords to AES can incorrectly disable the DES plugin if an error is encountered. In this case it was because a backend was defined but was missing the top entry which lead to an error 32 when searching for DES passwords. Consequence: This causes the existing DES passwords to fail to decode. Fix: There are two issues here. One, we should ignore errors when searching all the backends for passwords. Two, we should only disable the DES plugin if all the DES passwords were successfully converted. Result: Even if there is an empty backend, the conversion does not fail. Even if the conversion fails for any other reasons, the DES plugin is not disabled so that the not converted passwords are successfully decrypted. | During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES, and 389-ds-base automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an "error 32" if any defined backend was missing the top entry. Additionally, even if the conversion failed, 389-ds-base still disabled the DES plug-in, which caused existing passwords to fail to decode. This bug has been fixed, 389-ds-base now ignores errors when searching backends for passwords to convert, and the DES plug-in is now only disabled after all passwords using the DES algorithm were successfully converted to AES. |
||
| Petr Bokoc | 2016-08-01 11:14:33 UTC | Doc Text | During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES, and 389-ds-base automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an "error 32" if any defined backend was missing the top entry. Additionally, even if the conversion failed, 389-ds-base still disabled the DES plug-in, which caused existing passwords to fail to decode. This bug has been fixed, 389-ds-base now ignores errors when searching backends for passwords to convert, and the DES plug-in is now only disabled after all passwords using the DES algorithm were successfully converted to AES. | Password conversion from *DES* to *AES* no longer fails During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*, and _389-ds-base_ automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined backend was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching backends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*. |
| Petr Bokoc | 2016-08-01 11:37:56 UTC | Docs Contact | pbokoc | |
| Petr Bokoc | 2016-08-05 14:49:57 UTC | Doc Text | Password conversion from *DES* to *AES* no longer fails During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*, and _389-ds-base_ automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined backend was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching backends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*. | Password conversion from *DES* to *AES* now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*, and _389-ds-base_ automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined backend was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching backends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*. |
| Petr Bokoc | 2016-08-19 12:44:14 UTC | Doc Text | Password conversion from *DES* to *AES* now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*, and _389-ds-base_ automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined backend was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching backends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*. | Password conversion from *DES* to *AES* now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined back end was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching back ends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*. |
| errata-xmlrpc | 2016-11-02 12:25:48 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-11-03 20:40:45 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-11-03 16:40:45 UTC | |||
| Simon Pichugin | 2020-09-13 21:42:26 UTC | Link ID | Github 389ds/389-ds-base/issues/1837 |
Back to bug 1320715