Back to bug 1321891
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Noriko Hosoi | 2016-03-29 16:51:48 UTC | Status | NEW | POST |
| Noriko Hosoi | 2016-03-31 01:10:17 UTC | Status | POST | MODIFIED |
| Fixed In Version | 389-ds-base-1.3.4.0-30.el7_2 | |||
| errata-xmlrpc | 2016-03-31 01:12:13 UTC | Status | MODIFIED | ON_QA |
| Noriko Hosoi | 2016-03-31 01:54:35 UTC | Doc Text | Cause: Reversible Password Plugin used to use DES for the encryption. It had been switched to AES. In the upgrade from rhel-7.1 to 7.2, 389-ds-base upgrade converts the DES encrpted password to the AES encrpted one. The process of converting DES passwords to AES can incorrectly disable the DES plugin if an error is encountered. In this case it was because a backend was defined but was missing the top entry which lead to an error 32 when searching for DES passwords. Consequence: This causes the existing DES passwords to fail to decode. Fix: There are two issues here. One, we should ignore errors when searching all the backends for passwords. Two, we should only disable the DES plugin if all the DES passwords were successfully converted. Result: Even if there is an empty backend, the conversion does not fail. Even if the conversion fails for any other reasons, the DES plugin is not disabled so that the not converted passwords are successfully decrypted. |
|
| Viktor Ashirov | 2016-04-11 08:57:51 UTC | Status | ON_QA | VERIFIED |
| Petr Bokoc | 2016-04-12 12:36:41 UTC | CC | pbokoc | |
| Doc Text | Cause: Reversible Password Plugin used to use DES for the encryption. It had been switched to AES. In the upgrade from rhel-7.1 to 7.2, 389-ds-base upgrade converts the DES encrpted password to the AES encrpted one. The process of converting DES passwords to AES can incorrectly disable the DES plugin if an error is encountered. In this case it was because a backend was defined but was missing the top entry which lead to an error 32 when searching for DES passwords. Consequence: This causes the existing DES passwords to fail to decode. Fix: There are two issues here. One, we should ignore errors when searching all the backends for passwords. Two, we should only disable the DES plugin if all the DES passwords were successfully converted. Result: Even if there is an empty backend, the conversion does not fail. Even if the conversion fails for any other reasons, the DES plugin is not disabled so that the not converted passwords are successfully decrypted. | During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES, and 389-ds-base automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an "error 32" if any defined backend was missing the top entry. Additionally, even if the conversion failed, 389-ds-base still disabled the DES plug-in, which caused existing passwords to fail to decode. This bug has been fixed, 389-ds-base now ignores errors when searching backends for passwords to convert, and the DES plug-in is now only disabled after all passwords using the DES algorithm were successfully converted to AES. |
||
| Petr Bokoc | 2016-04-20 11:44:07 UTC | Docs Contact | pbokoc | |
| Flags | needinfo?(nhosoi) | |||
| Noriko Hosoi | 2016-04-20 15:56:48 UTC | Flags | needinfo?(nhosoi) | |
| errata-xmlrpc | 2016-05-04 17:38:52 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-05-12 09:59:24 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-05-12 05:59:24 UTC |
Back to bug 1321891