Bug 2239170
| Summary: | Passwords are not being updated to use the configured storage scheme ( nsslapd-enable-upgrade-hash is enabled ). | ||
|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Têko Mihinto <tmihinto> |
| Component: | 389-ds-base | Assignee: | LDAP Maintainers <idm-ds-dev-bugs> |
| Status: | CLOSED MIGRATED | QA Contact: | LDAP QA Team <idm-ds-qe-bugs> |
| Severity: | high | Docs Contact: | Evgenia Martynyuk <emartyny> |
| Priority: | unspecified | ||
| Version: | 11.7 | CC: | bs168, idm-ds-dev-bugs, musoni, tbordaz, vashirov |
| Target Milestone: | DS12.5 | Keywords: | Triaged |
| Target Release: | dirsrv-12.5 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-06-26 13:49:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Têko Mihinto
2023-09-15 17:00:13 UTC
This is working fine when moving from SSHA512 to PBKDF2_SHA256.
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e1NTSEE1MTJ9Y0tUcThlcnNDeSszOXRLaThpV1dUVjM2M0dIdUxWNVMrT3FJVXp4OVZNbHBkcytBMUdZTWo4Z0NJNllGQmZwY3hGTkdRMnpET3RPNml2NFdLam55b3oxdFFmK3hmZ0dl
$
$ echo e1NTSEE1MTJ9Y0tUcThlcnNDeSszOXRLaThpV1dUVjM2M0dIdUxWNVMrT3FJVXp4OVZNbHBkcytBMUdZTWo4Z0NJNllGQmZwY3hGTkdRMnpET3RPNml2NFdLam55b3oxdFFmK3hmZ0dl| base64 --decode
{SSHA512}cKTq8ersCy+39tKi8iWWTV363GHuLV5S+OqIUzx9VMlpds+A1GYMj8gCI6YFBfpcxFNGQ2zDOtO6iv4WKjnyoz1tQf+xfgGe#
$
$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password:
dn:
defaultNamingContext: dc=cette,dc=localdomain
$
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFCbVIzZlEvS1NJbWpBMVVjMmVCejk4MDYwN252SWRTM0ZmVkdLdW9LQURvLzlYMzNUckkzWkFPTTBWdGVwaE8xdlB2eVdZWFR6M2Y5cTFjTklhcGpZQzBpNEd1Q3hJYTVxVHpBRnJXWE9vdXpXTUl1U1lNeFRPSWR6cG5YQjBuTUhFZXQ4aE1KbmwyTlV2UWdISDJuU2QxRWN3Sk1iMUZwRDlvK3lVMlVFYy91WjBPWVAwci80Qlo1N2M1eFdqZW12RE5tbVlTMy9hQ1FUeVlJY28xK3NHOHhTSGlHSU01aHpvYVplR3BKQU11SnBtVyt2aEpZbjdzUE5PamljM1pnSGZRSjhOYVd3UkFsTTBKNHZiNmV1M1A1ZXpCdytRQ2J5OTcrWHU4eGIyc3JqV2VUSkVkeTJVWlM0aUJOZ0ZCeVpQdWI4RFdPQmVKb1l1TnZueVE3OEEzWTFOU0xyNFZEbFZMVTdoeUZIRS9hRk5EMzhBRkFpMG5FMXFQSnQvbHRUemlIYkFRWXRXU1A4a0w2Z1ZEdXpibXRHMkpDRUJUcERtNVhtRXdZOWM1
$
$ echo "e1BCS0RGMl9TSEEyNTZ9QUFBSUFCbVIzZlEvS1NJbWpBMVVjMmVCejk4MDYwN252SWRTM0ZmVkdLdW9LQURvLzlYMzNUckkzWkFPTTBWdGVwaE8xdlB2eVdZWFR6M2Y5cTFjTklhcGpZQzBpNEd1Q3hJYTVxVHpBRnJXWE9vdXpXTUl1U1lNeFRPSWR6cG5YQjBuTUhFZXQ4aE1KbmwyTlV2UWdISDJuU2QxRWN3Sk1iMUZwRDlvK3lVMlVFYy91WjBPWVAwci80Qlo1N2M1eFdqZW12RE5tbVlTMy9hQ1FUeVlJY28xK3NHOHhTSGlHSU01aHpvYVplR3BKQU11SnBtVyt2aEpZbjdzUE5PamljM1pnSGZRSjhOYVd3UkFsTTBKNHZiNmV1M1A1ZXpCdytRQ2J5OTcrWHU4eGIyc3JqV2VUSkVkeTJVWlM0aUJOZ0ZCeVpQdWI4RFdPQmVKb1l1TnZueVE3OEEzWTFOU0xyNFZEbFZMVTdoeUZIRS9hRk5EMzhBRkFpMG5FMXFQSnQvbHRUemlIYkFRWXRXU1A4a0w2Z1ZEdXpibXRHMkpDRUJUcERtNVhtRXdZOWM1" | base64 --decode ; echo
{PBKDF2_SHA256}AAAIABmR3fQ/KSImjA1Uc2eBz980607nvIdS3FfVGKuoKADo/9X33TrI3ZAOM0VtephO1vPvyWYXTz3f9q1cNIapjYC0i4GuCxIa5qTzAFrWXOouzWMIuSYMxTOIdzpnXB0nMHEet8hMJnl2NUvQgHH2nSd1EcwJMb1FpD9o+yU2UEc/uZ0OYP0r/4BZ57c5xWjemvDNmmYS3/aCQTyYIco1+sG8xSHiGIM5hzoaZeGpJAMuJpmW+vhJYn7sPNOjic3ZgHfQJ8NaWwRAlM0J4vb6eu3P5ezBw+QCby97+Xu8xb2srjWeTJEdy2UZS4iBNgFByZPub8DWOBeJoYuNvnyQ78A3Y1NSLr4VDlVLU7hyFHE/aFND38AFAi0nE1qPJt/ltTziHbAQYtWSP8kL6gVDuzbmtG2JCEBTpDm5XmEwY9c5
$
It's failing when moving from other storage schemes:
Using CRYPT scheme:
+++++++++++++++++++++++
$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=CRYPT
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$
Created a new password here.
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=
$
$ echo e2NyeXB0fU9CYjVsVlBiQkQzODY= | base64 --decode ; echo
{crypt}OBb5lVPbBD386
$
Using CRYPT-SHA512 scheme:
+++++++++++++++++++++++++++
$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=CRYPT-SHA512
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password:
dn:
defaultNamingContext: dc=cette,dc=localdomain
$
Password is not updated to use the new scheme:
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=
$
Using PBKDF2_SHA256 scheme:
+++++++++++++++++++++++++++++
$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password:
dn:
defaultNamingContext: dc=cette,dc=localdomain
$
$ ldapsearch -xLLL -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=
$
Password is still encrypted with the CRYPT scheme.
This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-18. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |