1320715 – DES to AES password conversion fails if a backend is empty

Bug 1320715 - DES to AES password conversion fails if a backend is empty

Summary: DES to AES password conversion fails if a backend is empty

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:	(Show other bugs)
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Keywords:	ZStream
Depends On:
Blocks:	1321891
TreeView+	depends on / blocked

Reported:	2016-03-23 19:38 UTC by mreynolds
Modified:	2016-11-03 20:40 UTC (History)
CC List:	8 users (show)
Fixed In Version:	389-ds-base-1.3.5.2-1.el7
Doc Type:	Bug Fix
Doc Text:	Password conversion from DES to AES now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the Reversible Password Plug-in was changed from DES to AES. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined back end was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the DES plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching back ends for passwords to convert, and the DES plug-in is now only disabled after all passwords are successfully converted to AES.
Story Points:	---
Clone Of:
Clones:	1321891 (view as bug list)
Environment:
Last Closed:	2016-11-03 20:40:45 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2594	normal	SHIPPED_LIVE	Moderate: 389-ds-base security, bug fix, and enhancement update	2016-11-03 12:11:08 UTC

Description mreynolds 2016-03-23 19:38:27 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48777

At server startup the server tries to convert any DES passwords to AES.  But if a defined backend does not have any entries(err=32) when this process quits and it stops trying to convert DES passwords.  It should continue to try all the backends, even if it encounters an error.

Comment 3 mreynolds 2016-03-24 19:20:10 UTC

Fixed upstream

Comment 9 Punit Kundal 2016-07-12 09:07:30 UTC

RHEL:
RHEL 7.3 x86_64 Server
 
DS builds:
[root@localhost tickets]# rpm -qa | grep 389
389-ds-base-snmp-1.3.5.10-3.el7.x86_64
389-ds-base-1.3.5.10-3.el7.x86_64
389-ds-base-libs-1.3.5.10-3.el7.x86_64

Steps Performed:
1. Ran automated ticket 47462:
[root@localhost tickets]# py.test -v ticket47462_test.py
================================= test session starts ======================
platform linux2 -- Python 2.7.5, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: .cache
rootdir: /root/ds/dirsrvtests/tests/tickets, inifile:
collected 1 items
 
ticket47462_test.py::test_ticket47462 PASSED
 
========================== 1 passed in 64.51 seconds ===========================
 
As can be seen, automated test passed
Marking as verified

Comment 12 errata-xmlrpc 2016-11-03 20:40:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html

Note You need to log in before you can comment on or make changes to this bug.