RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
In FIPS mode the following tests are failing:
suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT] FAILED
suites/password/pwd_algo_test.py::test_pwd_algo_test[CRYPT-MD5] FAILED
suites/password/pwd_algo_test.py::test_pwd_algo_test[PBKDF2_SHA256] FAILED

E         ldap.UNWILLING_TO_PERFORM: {'desc': 'Server is unwilling to perform', 'info': 'Unable to store attribute "userPassword" correctly\n'}

Version-Release number of selected component (if applicable):
389-ds-base: 1.3.7.5-18.el7
nss: 3.34.0-4.el7


How reproducible:
always

Steps to Reproduce:
1. Enable FIPS mode
2.  py.test -v suites/password/pwd_algo_test.py

I know FIPS does NOT support PBKDF2, and it looks like its not supporting CRYPT either.  So perhaps this a doc bug?

CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then we'll update the tests to check if we're running in FIPS mode.

(In reply to Viktor Ashirov from comment #2)
> CRYPT-SHA256 and CRYPT-SHA512 are accepted though. If that's not a bug, then
> we'll update the tests to check if we're running in FIPS mode.

I know FIPS does not accept weak hashing algos.  So maybe that's why CRYPT-SHA256 and CRYPT-SHA512 work, but the other CRYPTs are not.  PBKDF2 I think it just too new and FIPS has not caught up with it yet (I know its officially not supported).  I'll ask the security guys to confirm the CRYPT issues though.

Okay so looking at the FIPS docs 

https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

I think this explains the behavior.  We support SHA256 & SHA512 - and that's why FIPS supports CRYPT-"SHA256", etc, but not CRYPT-"MD5".

Makes sense, thanks Mark!

Closing as NOTABUG.