Bug 182509
Summary: | RFE: cleartext userPassword value is sent unencrypted | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Ulf Weltman <ulf.weltman> |
Component: | Replication - General | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED WORKSFORME | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 1.0 | CC: | benl, djuran, grendelmans, jgalipea, nhosoi, nkinder, rdassen, thoger |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-01-09 22:47:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 512820, 690319 |
Description
Ulf Weltman
2006-02-22 22:24:58 UTC
The "unhashed#user#password" value is also stored in plain text in the replication changelog under /opt/fedora-ds/slapd-<instance>/changelogdb/ . We are working to address this issue in the upcoming RHDS 7.2 release. The fix will also go into the next version of Fedora DS. Yes, by being changelogged is how it ends up getting replayed to replicas. Rich, without unhashed#user#password it's not possible to write password policy plugins since the userPassword is already hashed when MOD pre-op is called so you're not taking it out I guess. Is the fix to skip it for changelogging? Yes. I think the fix will involve these things: 1) Do not store unhashed#user#password in the changelog or send it over the wire 2) Disable password syntax checking and password policy for replicated changes Note that if using Digest MD5 for authentication, you must store the clear text password in the database, in the userPassword attribute. Note that with RHDS 8.0.0-14 and later, you can use fractional replication to exclude that attribute. revisit in 8.2 Upstream ticket: https://fedorahosted.org/389/ticket/149 This issue had been already treated when bz 182507 was solved. |