Bug 1833266

Summary:	[dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
Product:	Red Hat Enterprise Linux 8	Reporter:	Andreas Bleischwitz <ableisch>
Component:	ipa	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	8.2	CC:	abokovoy, cheimes, ksiddiqu, mreynolds, pcech, rcritten, sumenon, tscherf
Target Milestone:	rc	Keywords:	TestCaseProvided
Target Release:	8.2	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	ipa-4.8.7-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1833515 (view as bug list)		Environment:
Last Closed:	2020-11-04 02:50:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1833515

Description Andreas Bleischwitz 2020-05-08 09:20:20 UTC

Description of problem:
An upgraded version of 389-ds 1.4.1.6 will raise errors in the logs due to the inability to update passwords to new password-schemes.

Version-Release number of selected component (if applicable):
389-ds 1.4.1.6

How reproducible:
Always

Steps to Reproduce:
1. Install IDM prior 389-ds 1.4.1.6
2. Create users and passwords
3. Upgrade to 389-ds 1.4.1.6 or later

Actual results:
Warning messages written to /var/log/dirsrv/slapd-<instance>/errors:

WARN - update_pw_encoding - Modify error 19 on entry '<user-dn>'

Expected results:
No warning messages reported

Additional info:
Due to the integration of kerberos into IDM, passwords need to be given in cleartext in order to be updated. As there are only hashes stored in IDM, the update_pw_encoding() mechanism will not be able to update these and raises the warning messages.

Comment 1 Andreas Bleischwitz 2020-05-08 09:21:55 UTC

The change to do password-schema updates was introduced with this: https://pagure.io/389-ds-base/issue/49421

Comment 2 Christian Heimes 2020-05-08 09:36:24 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8315

Comment 3 mreynolds 2020-05-08 19:19:09 UTC

DS upstream ticket to update schema to include "nsslapd-enable-upgrade-hash":

https://pagure.io/389-ds-base/issue/51078

Comment 5 Christian Heimes 2020-06-03 13:33:26 UTC

Fixed in upstream

master:
* https://pagure.io/freeipa/c/aa341020c883b3d8e6117f6f515f5ed0e19c04e7 Disable password schema update on LDAP bind
ipa-4-8:
* https://pagure.io/freeipa/c/27656669f7126ef92272530118d2d52122bb3008 Disable password schema update on LDAP bind

Comment 12 errata-xmlrpc 2020-11-04 02:50:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670