Bug 1320715

Summary: DES to AES password conversion fails if a backend is empty
Product: Red Hat Enterprise Linux 7 Reporter: mreynolds
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.3CC: afarley, batkisso, gparente, msauton, nkinder, pbokoc, pkundal, rmeggins
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.5.2-1.el7 Doc Type: Bug Fix
Doc Text:
Password conversion from *DES* to *AES* now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined back end was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching back ends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*.
 Story Points: ---
Clone Of:
: 1321891 (view as bug list) Environment:
Last Closed: 2016-11-03 20:40:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1321891    

Description mreynolds 2016-03-23 19:38:27 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48777

At server startup the server tries to convert any DES passwords to AES.  But if a defined backend does not have any entries(err=32) when this process quits and it stops trying to convert DES passwords.  It should continue to try all the backends, even if it encounters an error.
Comment 3 mreynolds 2016-03-24 19:20:10 UTC 
Fixed upstream
Comment 9 Punit Kundal 2016-07-12 09:07:30 UTC 
RHEL:
RHEL 7.3 x86_64 Server
 
DS builds:
[root@localhost tickets]# rpm -qa | grep 389
389-ds-base-snmp-1.3.5.10-3.el7.x86_64
389-ds-base-1.3.5.10-3.el7.x86_64
389-ds-base-libs-1.3.5.10-3.el7.x86_64

Steps Performed:
1. Ran automated ticket 47462:
[root@localhost tickets]# py.test -v ticket47462_test.py
================================= test session starts ======================
platform linux2 -- Python 2.7.5, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: .cache
rootdir: /root/ds/dirsrvtests/tests/tickets, inifile:
collected 1 items
 
ticket47462_test.py::test_ticket47462 PASSED
 
========================== 1 passed in 64.51 seconds ===========================
 
As can be seen, automated test passed
Marking as verified
Comment 12 errata-xmlrpc 2016-11-03 20:40:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html