Ludwig Krispenz from Red Hat reported that there is a configuration switch to prevent writing unhashed passwords into the changelogs. Unfortunately if the switch is turned on the attribute unhashed#user#password is not written to the changelog, but the hashing of the attribute value itself is also bypassed.
Versions affected are 389 versions 1.3.1 and later, this means RHEL7.0 and later and Fedora20 and later.
The severity seems to be limited, since:
- the option is not widely known and advertised and only available in a recent version
- the access to the userpassword attribute is usually protected by acis not to be readable
This issue did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.
This issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0416 https://rhn.redhat.com/errata/RHSA-2015-0416.html
Created 389-ds-base tracking bugs for this issue:
Affects: fedora-all [bug 1199675]