Bug 182509

Summary: RFE: cleartext userPassword value is sent unencrypted
Product: [Retired] 389 Reporter: Ulf Weltman <ulf.weltman>
Component: Replication - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED WORKSFORME QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: benl, djuran, grendelmans, jgalipea, nhosoi, nkinder, rdassen, thoger
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-09 22:47:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 512820, 690319    

Description Ulf Weltman 2006-02-22 22:24:58 UTC 
Description of problem:
When a changelog is enabled and a userPassword is modified, both the hash and
the cleartext are logged for winsync's benefit:
change::
replace: userPassword
userPassword: {SSHA}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12

The change (including the cleartext password) is sent to replicas (where the
cleartext password is actually ignored, see #182507).

We should probably require that MMR is configured with SSL if passwords are sent
in the clear.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Configure two replicas with MMR, M1 and M2.
2.Change a userPassword in M2.

  
Actual results:


Expected results:


Additional info:
Comment 1 Sander Grendelman 2006-10-12 09:07:30 UTC 
The "unhashed#user#password" value is also stored in plain text in the
replication changelog under /opt/fedora-ds/slapd-<instance>/changelogdb/ .
Comment 2 Rich Megginson 2006-10-12 17:47:35 UTC 
We are working to address this issue in the upcoming RHDS 7.2 release.  The fix
will also go into the next version of Fedora DS.
Comment 3 Ulf Weltman 2006-10-12 18:02:10 UTC 
Yes, by being changelogged is how it ends up getting replayed to replicas.

Rich, without unhashed#user#password it's not possible to write password policy
plugins since the userPassword is already hashed when MOD pre-op is called so
you're not taking it out I guess.  Is the fix to skip it for changelogging?
Comment 4 Rich Megginson 2006-10-12 18:07:05 UTC 
Yes.  I think the fix will involve these things:
1) Do not store unhashed#user#password in the changelog or send it over the wire
2) Disable password syntax checking and password policy for replicated changes

Note that if using Digest MD5 for authentication, you must store the clear text
password in the database, in the userPassword attribute.
Comment 9 Rich Megginson 2008-06-23 17:49:39 UTC 
Note that with RHDS 8.0.0-14 and later, you can use fractional replication to
exclude that attribute.
Comment 10 Rich Megginson 2009-01-14 17:55:07 UTC 
revisit in 8.2
Comment 16 Martin Kosek 2012-01-04 13:50:06 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/149
Comment 17 Noriko Hosoi 2012-01-09 22:47:27 UTC 
This issue had been already treated when bz 182507 was solved.