Bug 1372420

Summary: Backport AES storage scheme plugin.
Product: Red Hat Enterprise Linux 6 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.9CC: mreynolds, msauton, nhosoi, nkinder, rmeggins, sramling
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-82.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1376676 (view as bug list) Environment:
Last Closed: 2017-03-21 10:23:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1376676    

Description German Parente 2016-09-01 16:10:12 UTC 
Description of problem:

Replication is encrypting credentials of replication bind user password using DES plugin.

This is considered as insecure as for:

https://fedorahosted.org/389/ticket/47462

The fix for this bug is only in RHEL7.

This bz is just to  document this security issue in RHEL6 version of 389-ds-base



Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15*
Comment 3 mreynolds 2016-09-06 20:08:16 UTC 
Fixed upstream in 1.2.11
Comment 5 Noriko Hosoi 2016-09-15 17:52:01 UTC 
*** Bug 1376558 has been marked as a duplicate of this bug. ***
Comment 10 Sankar Ramalingam 2016-11-18 08:54:03 UTC 
1). Checking the default encryption type for replica passwords, with older version of 389-ds-base.
[root@auto-hv-02-guest09 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64

[root@auto-hv-02-guest09 MMR_WINSYNC]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=1189_to_2616_on_auto-hv-02-guest09.idmqe.lab.eng.bos.redhat.com,cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" | grep -i nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

2). Upgrade to the latest RHEL-6.9 389-ds-base-1.2.11.15-85
[root@auto-hv-02-guest09 MMR_WINSYNC]# yum -y update 389-ds-base 389-ds-base-libs
[root@auto-hv-02-guest09 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-85.el6.x86_64
389-ds-base-libs-1.2.11.15-85.el6.x86_64

3). Running setup-ds.pl
[root@auto-hv-02-guest09 MMR_WINSYNC]# setup-ds.pl -u
[root@auto-hv-02-guest09 MMR_WINSYNC]# service dirsrv restart

4). Running ldapsearch to check if AES encryption is used.

[root@auto-hv-02-guest09 MMR_WINSYNC]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=1189_to_2616_on_auto-hv-02-guest09.idmqe.lab.eng.bos.redhat.com,cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" |grep -i  nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG

After upgrade, the default password storage scheme changed to AES. No issues with the restart of Directory servers. Hence, marking the bug as Verified.
Comment 12 errata-xmlrpc 2017-03-21 10:23:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html