Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1467777 - "pwdhash -D configdir" uses the DS default hashing algorithm
"pwdhash -D configdir" uses the DS default hashing algorithm
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.4
Unspecified Unspecified
low Severity low
: rc
: 7.5
Assigned To: mreynolds
Viktor Ashirov
Marc Muehlfeld
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-05 02:15 EDT by Marc Muehlfeld
Modified: 2018-04-10 10:19 EDT (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.7.5-4.el7
Doc Type: Enhancement
Doc Text:
The *pwdhash* utility can now retrieve the storage scheme from the configuration directory Previously, if you passed the path to the configuration directory to the *pwdhash*, the utility used the default storage scheme of Directory Server to encrypt the password. With this update, the *pwdhash* utility uses the storage scheme set in the "nsslapd-rootpwstoragescheme" attribute in the "cn=config" entry, if you run *pwdhash* as a user with read permissions on the `/etc/dirsrv/slapd-instance_name/dse.ldif` file. As a result, you no longer have to specify the storage scheme in the mentioned scenario if it differs from the Directory Server's default.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 10:18:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0811 None None None 2018-04-10 10:19 EDT

  None (edit)
Description Marc Muehlfeld 2017-07-05 02:15:02 EDT
Description of problem:
The "pwdhash -D configdir" command uses the default hashing algorithm and neither the current value set in nsslapd-rootpwstoragescheme nor passwordStorageScheme.



Version-Release number of selected component (if applicable):
DS 10.1.1



How reproducible:
Always



Steps to Reproduce:
1. Set nsslapd-rootpwstoragescheme to SSHA256
2. Set passwordStorageScheme to SSHA384
3. Run
   # pwdhash -D /etc/dirsrv/slapd-instance_name/ password



Actual results:
You get the hash based on the DS default setting (which is SSHA512 for DS 10.1.1) instead of the algorithms set in one of the two attributes.



Expected results / Feature request:
* If "-D configdir" is used, the command should return the hashed string using the algorithm set in nsslapd-rootpwstoragescheme. The tool is mostly used to generate the hash for the Directory Manager - so this should be default in this case.

* Additinally, a "-u" option should be added, which is only used in combination with "-D configdir", and generates the hash using the algorithm set in passwordStorageScheme.
Comment 2 wibrown@redhat.com 2017-07-05 02:33:29 EDT
Upstream ticket:
https://pagure.io/389-ds-base/issue/49312
Comment 6 Akshay Adhikari 2018-01-08 02:12:17 EST
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.3, pytest-3.3.2, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-823.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.3.2', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-11.el7
nss: 3.34.0-1.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-10.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.1, html-1.16.1
collected 2 items                                                                                                                                                           

suites/clu/clu_test.py::test_clu_pwdhash PASSED                                                                                                                       [ 50%]
suites/clu/clu_test.py::test_clu_pwdhash_mod PASSED                                                                                                                   [100%]

------------------------------------------------------- generated xml file: /mnt/tests/rhds/tests/upstream/report.xml -------------------------------------------------------
------------------------------------------------------ generated html file: /mnt/tests/rhds/tests/upstream/report.html ------------------------------------------------------
========================================================================= 2 passed in 9.70 seconds ==========================================================================
Comment 9 errata-xmlrpc 2018-04-10 10:18:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811

Note You need to log in before you can comment on or make changes to this bug.