Bug 182507
| Summary: | clear-password mod from replica is discarded before changelogged | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Ulf Weltman <ulf.weltman> | ||||||||||||
| Component: | Replication - General | Assignee: | Noriko Hosoi <nhosoi> | ||||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||||
| Severity: | high | Docs Contact: | |||||||||||||
| Priority: | high | ||||||||||||||
| Version: | 1.0 | CC: | amsharma, jgalipea, msauton, nhosoi, nkinder, rmeggins | ||||||||||||
| Target Milestone: | --- | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | |||||||||||||||
| : | 804828 (view as bug list) | Environment: | |||||||||||||
| Last Closed: | 2015-12-07 17:13:28 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 639035, 656390, 804828 | ||||||||||||||
| Attachments: |
|
||||||||||||||
latering to 8.2 Created attachment 458887 [details]
git patch file (master)
Phase 1.
Description: If a password is changed by the password change
extended operation, the hashed password is logged and also a
cleartext pseudo-attribute version is in the replication changelog.
In the current code, the pseudo-attribute is discarded in the
server frontend to avoid storing it in the backend DB. Therefore,
the other masters in an MMR topology have no chance to log it in
their changelogs.
This patch moved the pseudo-attribute elimination to the backend
(id2entry_add_ext in id2entry.c) to drop it before storing in
the database. Since the internal mod keeps it, the pseudo-
attribute is replicated and stored in the other masters' changelog,
as well.
Phase 2. Rich Megginson wrote: 1) password is stored unencrypted, so someone with access to the machine and disk can get it 2) password is sent on the wire unencrypted, so a network sniffer could get it for 1, the only recourse is to store it encrypted, which would require attrcrypt. The user can configure attribute encryption for this attribute. Same goes for 2 - use TLS/SSL/SASL for replication. That is, we let the user be insecure by default, but give them the tools and information to secure things themselves. This really isn't that different than other parts of the system - pam_ldap sends clear text passwords to the directory server, but you can configure it to use TLS. Created attachment 467113 [details] git patch file (master) Description: Replication drops unhashed passwords which is necessary for the AD password sync. This patch allows the passwords replicated and introduces a method to encrypt logs in the changelog. See also http://directory.fedoraproject.org/wiki/Changelog_Encryption Comment on attachment 467113 [details]
git patch file (master)
1) the use of the magic number 17 in the _cl5Entry2DBData - should use a macro or a #define for that number
2) _cl5WriteMod - if encryption is configured, but clcrypt_encrypt_value fails, seems that should be a hard failure - the user wants the data encrypted, but encryption is not available - I don't think the user wants unencrypted data showing up in the changelog
3) instead of copying/pasting all of that code from the core server attrcrypt code, could we expose those apis via slapi? copy/paste lots of code like this makes me nervous, doubly so if it is encryption code
All right. I'm going to open the phase 3 task for merging the attrcrypt and changelog encryption into libslapd. Created attachment 468499 [details] git patch file (master) Description: Replication drops unhashed passwords which is necessary for the AD password sync. This patch allows the passwords replicated and introduces a method to encrypt logs in the changelog. See also http://directory.fedoraproject.org/wiki/Changelog_Encryption Created attachment 468515 [details]
Additional diff
Thanks to Nathan for his comments. I'm adding this diff to the patch.
Created attachment 468942 [details]
yet another additional diff
The behaviour of the initialization code used by the changelog encryption was different from the attribute encryption's initialization.
The attribute encryption's case: if the symmetric key stored in the DS config failed to unwrap in attrcrypt_cipher_init, it logs an error message and returns an error.
The changelog encryption's case: if the symmetric key stored in the DS config failed to unwrap in _back_crypt_cipher_init, it generated a new key and replaced the old one with the new one. The old key was lost in the automatic replace.
To leave the method to recover the encrypted contents, changed the behaviour of _back_crypt_cipher_init to adjust to attrcrypt_cipher_init.
Thanks to Rich and Nathan for their reviews. Pushed to master. $ git merge 182507 Updating ba8c3c9..7aef407 Fast-forward Makefile.am | 1 + Makefile.in | 15 + ldap/servers/plugins/replication/cl5.h | 1 + ldap/servers/plugins/replication/cl5_api.c | 107 +++- ldap/servers/plugins/replication/cl5_api.h | 2 + ldap/servers/plugins/replication/cl5_config.c | 37 +- ldap/servers/plugins/replication/cl_crypt.c | 203 +++++ ldap/servers/plugins/replication/cl_crypt.h | 53 ++ ldap/servers/plugins/replication/repl_shared.h | 17 +- .../plugins/replication/windows_protocol_util.c | 2 +- ldap/servers/slapd/back-ldbm/dblayer.c | 42 +- ldap/servers/slapd/back-ldbm/id2entry.c | 20 +- ldap/servers/slapd/back-ldbm/init.c | 2 + ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 818 ++++++++++++++++---- ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 6 + ldap/servers/slapd/backend.c | 11 + ldap/servers/slapd/opshared.c | 7 +- ldap/servers/slapd/pblock.c | 6 + ldap/servers/slapd/slap.h | 3 + ldap/servers/slapd/slapi-plugin.h | 42 +- ldap/servers/slapd/slapi-private.h | 1 + 21 files changed, 1203 insertions(+), 193 deletions(-) create mode 100644 ldap/servers/plugins/replication/cl_crypt.c create mode 100644 ldap/servers/plugins/replication/cl_crypt.h $ git push Counting objects: 55, done. Delta compression using up to 2 threads. Compressing objects: 100% (29/29), done. Writing objects: 100% (29/29), 12.29 KiB, done. Total 29 (delta 26), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git ba8c3c9..7aef407 master -> master Executed test suit mmrepl/encchangelog. Results are ==> checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog TestCase [tp2] result-> [PASS] checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog TestCase [tp2] result-> [PASS] adding new entry uid=s2test0,ou=People,o=airius.com checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog TestCase [tp3] result-> [PASS] -----------------StopSlapd: Called ----------------- checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog TestCase [tp3] result-> [PASS] SASL/DIGEST-MD5 authentication started SASL username: s1test0 checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog TestCase [tp4] result-> [PASS] -----------------StopSlapd: Called ----------------- Calling StopSlapd /usr/lib64/dirsrv/slapd-amsharma/../slapd-s2 checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog TestCase [tp4] result-> [PASS] checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog TestCase [tp5] result-> [PASS] -----------------StopSlapd: Called ----------------- Calling StopSlapd /usr/lib64/dirsrv/slapd-amsharma/../slapd-s1 checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog TestCase [tp5] result-> [PASS] checkchangelog: successfully verified /var/lib/dirsrv/slapd-s2/db/changelog TestCase [tp6] result-> [PASS] checkchangelog: successfully verified /var/lib/dirsrv/slapd-s1/db/changelog TestCase [tp6] result-> [PASS] Hence Marking VERIFIED. Thanks Noriko. |
Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SSHA}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12 This unhashed version is used in winsync where the cleartext version of the password must be written to the AD. Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password. When it arrives on the "consumer" M2, op_shared_modify and op_shared_add will throw it out via the op_shared_is_allowed_attr function. That is the right thing to do because the pseudo-attribute should only ever exist in the changelog, not in the DIT. However, it's thrown out before it has a chance to be changelogged, so if the replica is involved in winsync, it will not be able to send the password update to AD. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Set up DS in MMR mode, M1 and M2. Configure winsync between an AD and M1. 2. Change an NT user's password on M2. 3. The NT user's password will be updated on M1 and M2, but not AD. Dump changelogs on M1 and M2, note the discrepancy in what was changelogged for the operation. Actual results: Expected results: Additional info: