Bug 918715
Summary: | [RFE] Add option to disable writing unhashed#user#password to changelog | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathan Kinder <nkinder> |
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Sankar Ramalingam <sramling> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | amsharma, jgalipea, mkubik, nhosoi, nkinder |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.3.1.2-1.el7 | Doc Type: | Enhancement |
Doc Text: |
Feature: A new config parameter nsslapd-unhashed-pw-switch to cn=config. The parameter takes 3 values:
on - unhashed password is stored in the entry extension and logged in the changelog.
nolog - unhashed password is stored in the entry extension but not logged in the changelog.
off - unhashed password is not stored in the entry extension.
Reason: If there is no need to store a unhashed password in the replication changelog, it could be controlled by the new config parameter.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 09:45:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nathan Kinder
2013-03-06 18:16:53 UTC
Introducing a config parameter nsslapd-unhashed-pw-switch to cn=config. The parameter takes 3 values: on - unhashed password is stored in the entry extension and logged in the changelog. nolog - unhashed password is stored in the entry extension but not logged in the changelog. off - unhashed password is not stored in the entry extension. moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata). When the errata is created, the bugs should be automatically moved back to ON_QA. <Steps to verify> 1. Set up MMR 2. On one master, 2-1 Setting on to nsslapd-unhashed-pw-switch (this is the default behaviour) 2-2 Add a user with a password 2-3 dbscan changelog and check unhashed user password is stored. 3. On the master, 3-1 Setting nolog to nsslapd-unhashed-pw-switch 3-2 Add a user with a password 3-3 dbscan changelog and check unhashed user password is NOT stored. 4. On the master, 4-1 Setting off to nsslapd-unhashed-pw-switch 4-2 Add a user with a password 4-3 dbscan changelog and check unhashed user password is NOT stored. The difference between off and nolog is ... off: the unhashed user password is not stored in memory. nolog: the unhashed user password is in memory for the plug-ins to use it, but not stored in the changelog. I think you don't have to test that part since nolog is used and tested by IPA. [root@dhcp201-149 changelog]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 Beta (Maipo) Build :: [root@dhcp201-149 changelog]# rpm -qa | grep 389 389-ds-base-1.3.1.6-8.el7.x86_64 389-ds-base-libs-1.3.1.6-8.el7.x86_64 Setup :: tcp6 0 0 :::30100 :::* LISTEN 17579/./ns-slapd tcp6 0 0 :::30102 :::* LISTEN 16428/ns-slapd tcp6 0 0 :::30104 :::* LISTEN 16869/ns-slapd tcp6 0 0 :::30106 :::* LISTEN 17347/ns-slapd tcp6 0 0 :::7295 :::* LISTEN 15170/ns-slapd svrbld 15170 1 0 13:15 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-149 -i /var/run/dirsrv/slapd-dhcp201-149.pid -w /var/run/dirsrv/slapd-dhcp201-149.startpid svrbld 16428 1 0 13:17 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M2 -i /var/run/dirsrv/slapd-M2.pid -w /var/run/dirsrv/slapd-M2.startpid svrbld 16869 1 0 13:17 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M3 -i /var/run/dirsrv/slapd-M3.pid -w /var/run/dirsrv/slapd-M3.startpid svrbld 17347 1 0 13:17 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M4 -i /var/run/dirsrv/slapd-M4.pid -w /var/run/dirsrv/slapd-M4.startpid svrbld 17579 1 0 13:17 ? 00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M1 -i /var/run/dirsrv/slapd-M1.pid -w /var/run/dirsrv/slapd-M1.startpid svrbld 19322 12156 0 13:20 pts/0 00:00:00 grep --color=auto slapd Case 1 ======= [root@dhcp201-149 etc]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch nsslapd-unhashed-pw-switch: on ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=amsharma,dc=example,dc=com cn: ams sn: ams givenname: ams objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: ams mail: ams userpassword: amsamsams EOF [root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password unhashed#user#password: amsamsams unhashed#user#password: amsamsams Case 2 ======= [root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=config > changetype: modify > replace: nsslapd-unhashed-pw-switch > nsslapd-unhashed-pw-switch: nolog > EOF modifying entry "cn=config" [root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch nsslapd-unhashed-pw-switch: nolog ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=amsharma10,dc=example,dc=com cn: ams sn: ams givenname: ams objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: ams mail: ams userpassword: amsamsams10 EOF [root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password unhashed#user#password: amsamsams unhashed#user#password: amsamsams [root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams10 [root@dhcp201-149 changelog]# Case3 ===== [root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=config changetype: modify replace: nsslapd-unhashed-pw-switch nsslapd-unhashed-pw-switch: off > EOF modifying entry "cn=config" [root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch nsslapd-unhashed-pw-switch: off [root@dhcp201-149 changelog]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF dn: uid=amsharma110,dc=example,dc=com cn: ams sn: ams givenname: ams objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: ams mail: ams userpassword: amsamsams110 EOF adding new entry "uid=amsharma110,dc=example,dc=com" [root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams110 [root@dhcp201-149 changelog]# Hence marking VERIFIED. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |