Bug 918715

Summary: [RFE] Add option to disable writing unhashed#user#password to changelog
Product: Red Hat Enterprise Linux 7 Reporter: Nathan Kinder <nkinder>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: amsharma, jgalipea, mkubik, nhosoi, nkinder
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.1.2-1.el7 Doc Type: Enhancement
Doc Text:
Feature: A new config parameter nsslapd-unhashed-pw-switch to cn=config. The parameter takes 3 values: on - unhashed password is stored in the entry extension and logged in the changelog. nolog - unhashed password is stored in the entry extension but not logged in the changelog. off - unhashed password is not stored in the entry extension. Reason: If there is no need to store a unhashed password in the replication changelog, it could be controlled by the new config parameter.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:45:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathan Kinder 2013-03-06 18:16:53 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/561

For cases where the clear text password must absolutely not be stored any where, and for cases where changelog encryption is not suitable, there should be some way to disable writing unhashed#user#password to the changelog.
Comment 1 Jenny Severance 2013-03-08 19:10:50 UTC 
Introducing a config parameter nsslapd-unhashed-pw-switch
   to cn=config.  The parameter takes 3 values:
   on    - unhashed password is stored in the entry extension
           and logged in the changelog.
   nolog - unhashed password is stored in the entry extension
           but not logged in the changelog.
   off   - unhashed password is not stored in the entry extension.
Comment 2 Rich Megginson 2013-10-01 23:27:16 UTC 
moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.
Comment 5 Noriko Hosoi 2013-11-08 22:55:23 UTC 
<Steps to verify>
1. Set up MMR
2. On one master,
2-1 Setting on to nsslapd-unhashed-pw-switch (this is the default behaviour)
2-2 Add a user with a password
2-3 dbscan changelog and check unhashed user password is stored.
3. On the master,
3-1 Setting nolog to nsslapd-unhashed-pw-switch
3-2 Add a user with a password
3-3 dbscan changelog and check unhashed user password is NOT stored.
4. On the master,
4-1 Setting off to nsslapd-unhashed-pw-switch
4-2 Add a user with a password
4-3 dbscan changelog and check unhashed user password is NOT stored.

The difference between off and nolog is ...
off: the unhashed user password is not stored in memory.
nolog: the unhashed user password is in memory for the plug-ins to use it, but not stored in the changelog.
I think you don't have to test that part since nolog is used and tested by IPA.
Comment 6 Amita Sharma 2013-11-11 08:47:19 UTC 
[root@dhcp201-149 changelog]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 Beta (Maipo)

Build :: [root@dhcp201-149 changelog]# rpm -qa | grep 389
389-ds-base-1.3.1.6-8.el7.x86_64
389-ds-base-libs-1.3.1.6-8.el7.x86_64

Setup ::
tcp6       0      0 :::30100                :::*                    LISTEN      17579/./ns-slapd    
tcp6       0      0 :::30102                :::*                    LISTEN      16428/ns-slapd      
tcp6       0      0 :::30104                :::*                    LISTEN      16869/ns-slapd      
tcp6       0      0 :::30106                :::*                    LISTEN      17347/ns-slapd      
tcp6       0      0 :::7295                 :::*                    LISTEN      15170/ns-slapd

svrbld   15170     1  0 13:15 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-149 -i /var/run/dirsrv/slapd-dhcp201-149.pid -w /var/run/dirsrv/slapd-dhcp201-149.startpid
svrbld   16428     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M2 -i /var/run/dirsrv/slapd-M2.pid -w /var/run/dirsrv/slapd-M2.startpid
svrbld   16869     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M3 -i /var/run/dirsrv/slapd-M3.pid -w /var/run/dirsrv/slapd-M3.startpid
svrbld   17347     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M4 -i /var/run/dirsrv/slapd-M4.pid -w /var/run/dirsrv/slapd-M4.startpid
svrbld   17579     1  0 13:17 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M1 -i /var/run/dirsrv/slapd-M1.pid -w /var/run/dirsrv/slapd-M1.startpid
svrbld   19322 12156  0 13:20 pts/0    00:00:00 grep --color=auto slapd

Case 1
=======
[root@dhcp201-149 etc]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch 
nsslapd-unhashed-pw-switch: on

ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma,dc=example,dc=com
cn: ams
sn: ams
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams
EOF

[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password
		unhashed#user#password: amsamsams
		unhashed#user#password: amsamsams

Case 2
=======
[root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-unhashed-pw-switch
> nsslapd-unhashed-pw-switch: nolog
> EOF
modifying entry "cn=config"

[root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: nolog

ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma10,dc=example,dc=com
cn: ams
sn: ams
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams10
EOF


[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password
		unhashed#user#password: amsamsams
		unhashed#user#password: amsamsams
[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams10
[root@dhcp201-149 changelog]#

Case3
=====
[root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: off
> EOF
modifying entry "cn=config"

[root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: off

[root@dhcp201-149 changelog]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma110,dc=example,dc=com
cn: ams
sn: ams                            
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams110
EOF

adding new entry "uid=amsharma110,dc=example,dc=com"

[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams110
[root@dhcp201-149 changelog]# 

Hence marking VERIFIED.
Comment 9 Ludek Smid 2014-06-13 09:45:59 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.