Bug 1320715 - DES to AES password conversion fails if a backend is empty
Summary: DES to AES password conversion fails if a backend is empty
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Petr Bokoc
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks: 1321891
TreeView+ depends on / blocked
 
Reported: 2016-03-23 19:38 UTC by mreynolds
Modified: 2016-11-03 20:40 UTC (History)
8 users (show)

(edit) 
Password conversion from *DES* to *AES* now works properly

During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined back end was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode.

This bug has been fixed, _389-ds-base_ now ignores errors when searching back ends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*.
Clone Of:
: 1321891 (view as bug list)
(edit)
Last Closed: 2016-11-03 20:40:45 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2594 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC

Description mreynolds 2016-03-23 19:38:27 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48777

At server startup the server tries to convert any DES passwords to AES.  But if a defined backend does not have any entries(err=32) when this process quits and it stops trying to convert DES passwords.  It should continue to try all the backends, even if it encounters an error.
Comment 3 mreynolds 2016-03-24 19:20:10 UTC 
Fixed upstream
Comment 9 Punit Kundal 2016-07-12 09:07:30 UTC 
RHEL:
RHEL 7.3 x86_64 Server
 
DS builds:
[root@localhost tickets]# rpm -qa | grep 389
389-ds-base-snmp-1.3.5.10-3.el7.x86_64
389-ds-base-1.3.5.10-3.el7.x86_64
389-ds-base-libs-1.3.5.10-3.el7.x86_64

Steps Performed:
1. Ran automated ticket 47462:
[root@localhost tickets]# py.test -v ticket47462_test.py
================================= test session starts ======================
platform linux2 -- Python 2.7.5, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: .cache
rootdir: /root/ds/dirsrvtests/tests/tickets, inifile:
collected 1 items
 
ticket47462_test.py::test_ticket47462 PASSED
 
========================== 1 passed in 64.51 seconds ===========================
 
As can be seen, automated test passed
Marking as verified
Comment 12 errata-xmlrpc 2016-11-03 20:40:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html
Note You need to log in before you can comment on or make changes to this bug.