Bug 1320715 - DES to AES password conversion fails if a backend is empty
Summary: DES to AES password conversion fails if a backend is empty
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Petr Bokoc
Depends On:
Blocks: 1321891
TreeView+ depends on / blocked
Reported: 2016-03-23 19:38 UTC by mreynolds
Modified: 2020-09-13 21:42 UTC (History)
8 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
Password conversion from *DES* to *AES* now works properly During the upgrade from Red Hat Enterprise Linux 7.1 to 7.2, the encryption algorithm used by the *Reversible Password Plug-in* was changed from *DES* to *AES*. Directory Server automatically converted all passwords to the new algorithm upon upgrade. However, password conversion failed with an `error 32` if any defined back end was missing the top entry. Additionally, even if the conversion failed, _389-ds-base_ still disabled the *DES* plug-in, which caused existing passwords to fail to decode. This bug has been fixed, _389-ds-base_ now ignores errors when searching back ends for passwords to convert, and the *DES* plug-in is now only disabled after all passwords are successfully converted to *AES*.
Clone Of:
: 1321891 (view as bug list)
Last Closed: 2016-11-03 20:40:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1837 0 None None None 2020-09-13 21:42:25 UTC
Red Hat Product Errata RHSA-2016:2594 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC

Description mreynolds 2016-03-23 19:38:27 UTC
This bug is created as a clone of upstream ticket:

At server startup the server tries to convert any DES passwords to AES.  But if a defined backend does not have any entries(err=32) when this process quits and it stops trying to convert DES passwords.  It should continue to try all the backends, even if it encounters an error.

Comment 3 mreynolds 2016-03-24 19:20:10 UTC
Fixed upstream

Comment 9 Punit Kundal 2016-07-12 09:07:30 UTC
RHEL 7.3 x86_64 Server
DS builds:
[root@localhost tickets]# rpm -qa | grep 389

Steps Performed:
1. Ran automated ticket 47462:
[root@localhost tickets]# py.test -v ticket47462_test.py
================================= test session starts ======================
platform linux2 -- Python 2.7.5, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 -- /usr/bin/python
cachedir: .cache
rootdir: /root/ds/dirsrvtests/tests/tickets, inifile:
collected 1 items
ticket47462_test.py::test_ticket47462 PASSED
========================== 1 passed in 64.51 seconds ===========================
As can be seen, automated test passed
Marking as verified

Comment 12 errata-xmlrpc 2016-11-03 20:40:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.