Bug 1467777 - "pwdhash -D configdir" uses the DS default hashing algorithm
Summary: "pwdhash -D configdir" uses the DS default hashing algorithm
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.5
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2017-07-05 06:15 UTC by Marc Muehlfeld
Modified: 2020-09-13 22:01 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Enhancement
Doc Text:
The *pwdhash* utility can now retrieve the storage scheme from the configuration directory Previously, if you passed the path to the configuration directory to the *pwdhash*, the utility used the default storage scheme of Directory Server to encrypt the password. With this update, the *pwdhash* utility uses the storage scheme set in the "nsslapd-rootpwstoragescheme" attribute in the "cn=config" entry, if you run *pwdhash* as a user with read permissions on the `/etc/dirsrv/slapd-instance_name/dse.ldif` file. As a result, you no longer have to specify the storage scheme in the mentioned scenario if it differs from the Directory Server's default.
Clone Of:
Last Closed: 2018-04-10 14:18:12 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2371 0 None None None 2020-09-13 22:01:20 UTC
Red Hat Product Errata RHBA-2018:0811 0 None None None 2018-04-10 14:19:11 UTC

Description Marc Muehlfeld 2017-07-05 06:15:02 UTC
Description of problem:
The "pwdhash -D configdir" command uses the default hashing algorithm and neither the current value set in nsslapd-rootpwstoragescheme nor passwordStorageScheme.

Version-Release number of selected component (if applicable):
DS 10.1.1

How reproducible:

Steps to Reproduce:
1. Set nsslapd-rootpwstoragescheme to SSHA256
2. Set passwordStorageScheme to SSHA384
3. Run
   # pwdhash -D /etc/dirsrv/slapd-instance_name/ password

Actual results:
You get the hash based on the DS default setting (which is SSHA512 for DS 10.1.1) instead of the algorithms set in one of the two attributes.

Expected results / Feature request:
* If "-D configdir" is used, the command should return the hashed string using the algorithm set in nsslapd-rootpwstoragescheme. The tool is mostly used to generate the hash for the Directory Manager - so this should be default in this case.

* Additinally, a "-u" option should be added, which is only used in combination with "-D configdir", and generates the hash using the algorithm set in passwordStorageScheme.

Comment 2 wibrown@redhat.com 2017-07-05 06:33:29 UTC
Upstream ticket:

Comment 6 Akshay Adhikari 2018-01-08 07:12:17 UTC
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.3, pytest-3.3.2, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-823.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.3.2', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
nss: 3.34.0-1.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-10.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.1, html-1.16.1
collected 2 items                                                                                                                                                           

suites/clu/clu_test.py::test_clu_pwdhash PASSED                                                                                                                       [ 50%]
suites/clu/clu_test.py::test_clu_pwdhash_mod PASSED                                                                                                                   [100%]

------------------------------------------------------- generated xml file: /mnt/tests/rhds/tests/upstream/report.xml -------------------------------------------------------
------------------------------------------------------ generated html file: /mnt/tests/rhds/tests/upstream/report.html ------------------------------------------------------
========================================================================= 2 passed in 9.70 seconds ==========================================================================

Comment 9 errata-xmlrpc 2018-04-10 14:18:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.