Bug 1372420 - Backport AES storage scheme plugin.
Summary: Backport AES storage scheme plugin.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.9
Hardware: Unspecified
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
: 1376558 (view as bug list)
Depends On:
Blocks: 1376676
TreeView+ depends on / blocked
 
Reported: 2016-09-01 16:10 UTC by German Parente
Modified: 2020-09-13 20:41 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-82.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1376676 (view as bug list)
Environment:
Last Closed: 2017-03-21 10:23:00 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 799 0 None None None 2020-09-13 20:41:02 UTC
Red Hat Product Errata RHBA-2017:0667 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2017-03-21 12:35:05 UTC

Description German Parente 2016-09-01 16:10:12 UTC 
Description of problem:

Replication is encrypting credentials of replication bind user password using DES plugin.

This is considered as insecure as for:

https://fedorahosted.org/389/ticket/47462

The fix for this bug is only in RHEL7.

This bz is just to  document this security issue in RHEL6 version of 389-ds-base



Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15*
Comment 3 mreynolds 2016-09-06 20:08:16 UTC 
Fixed upstream in 1.2.11
Comment 5 Noriko Hosoi 2016-09-15 17:52:01 UTC 
*** Bug 1376558 has been marked as a duplicate of this bug. ***
Comment 10 Sankar Ramalingam 2016-11-18 08:54:03 UTC 
1). Checking the default encryption type for replica passwords, with older version of 389-ds-base.
[root@auto-hv-02-guest09 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-libs-1.2.11.15-74.el6.x86_64
389-ds-base-1.2.11.15-74.el6.x86_64

[root@auto-hv-02-guest09 MMR_WINSYNC]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=1189_to_2616_on_auto-hv-02-guest09.idmqe.lab.eng.bos.redhat.com,cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" | grep -i nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {DES}2mO8LgMr/w5ognn2BRK+gQ==

2). Upgrade to the latest RHEL-6.9 389-ds-base-1.2.11.15-85
[root@auto-hv-02-guest09 MMR_WINSYNC]# yum -y update 389-ds-base 389-ds-base-libs
[root@auto-hv-02-guest09 MMR_WINSYNC]# rpm -qa |grep -i 389-ds
389-ds-base-1.2.11.15-85.el6.x86_64
389-ds-base-libs-1.2.11.15-85.el6.x86_64

3). Running setup-ds.pl
[root@auto-hv-02-guest09 MMR_WINSYNC]# setup-ds.pl -u
[root@auto-hv-02-guest09 MMR_WINSYNC]# service dirsrv restart

4). Running ldapsearch to check if AES encryption is used.

[root@auto-hv-02-guest09 MMR_WINSYNC]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=1189_to_2616_on_auto-hv-02-guest09.idmqe.lab.eng.bos.redhat.com,cn=replica,cn=\"dc=passsync,dc=com\",cn=mapping tree,cn=config" |grep -i  nsDS5ReplicaCredentials 
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG

After upgrade, the default password storage scheme changed to AES. No issues with the restart of Directory servers. Hence, marking the bug as Verified.
Comment 12 errata-xmlrpc 2017-03-21 10:23:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html
Note You need to log in before you can comment on or make changes to this bug.