Bug 1579700 - Upgrade script doesn't enable PBKDF password storage plug-in [rhel-7.5.z]
Summary: Upgrade script doesn't enable PBKDF password storage plug-in [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1576485
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-18 07:20 UTC by Oneata Mircea Teodor
Modified: 2018-06-26 16:49 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-22
Doc Type: Bug Fix
Doc Text:
If a Red Hat Directory Server instance was installed using version 10.1.0 or earlier and subsequently updated, the update script did not enable the Password-Based Key Derivation Function version 2 (PBKDF2) plug-in. As a consequence, the PBKDF2_SHA256 password storage scheme could not be used in the nsslapd-rootpwstoragescheme and passwordStorageScheme parameter. This update automatically enables the plug-in. As a result, administrators can now use the PBKDF2_SHA256 password storage scheme.
Clone Of: 1576485
Environment:
Last Closed: 2018-06-26 16:49:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1988 None None None 2018-06-26 16:49:53 UTC

Description Oneata Mircea Teodor 2018-05-18 07:20:25 UTC
This bug has been copied from bug #1576485 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 3 Anuj Borah 2018-05-28 09:47:25 UTC
Test result for 389-ds-base-1.3.5.10-11.el7.x86_64

[root@qeos-26 yum.repos.d]# date
Mon May 28 04:57:36 EDT 2018
[root@qeos-26 yum.repos.d]# rpm -q 389-ds-base
389-ds-base-1.3.5.10-21.el7_3.x86_64
[root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: PBKDF2_SHA256
> EOF
modifying entry "cn=config"
ldap_modify: Operations error (1)
	additional info: passwordStorageScheme: invalid scheme - PBKDF2_SHA256. Valid schemes are: SSHA, SSHA256, SSHA384, SSHA512, SHA, SHA256, SHA384, SHA512, CRYPT, MD5, SMD5, CLEAR, 

[root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription
dn: cn=Password Storage Schemes,cn=plugins,cn=config

dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: AES storage scheme plugin

dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: No encryption (CLEAR)

dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT)

dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: DES storage scheme plugin

dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: MD5 hash algorithm (MD5)

dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5)

dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA)

dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256)

dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384)

dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512)

dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5)

dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA)

dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256)

dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384)

dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512)

[root@qeos-26 yum.repos.d]# 

---------------------------------------------

Test Result for  389-ds-base-1.3.6.1-29.el7_4.x86_64

[root@qeos-26 yum.repos.d]# date 
Mon May 28 05:05:12 EDT 2018
[root@qeos-26 yum.repos.d]# rpm -q 389-ds-base
389-ds-base-1.3.6.1-29.el7_4.x86_64
[root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: PBKDF2_SHA256
> EOF
modifying entry "cn=config"
ldap_modify: Operations error (1)
	additional info: passwordStorageScheme: invalid scheme - PBKDF2_SHA256. Valid schemes are: CLEAR, CRYPT, MD5, SHA, SHA256, SHA384, SHA512, SMD5, SSHA, SSHA256, SSHA384, SSHA512

[root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription
dn: cn=Password Storage Schemes,cn=plugins,cn=config

dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: AES storage scheme plugin

dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: No encryption (CLEAR)

dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT)

dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: DES storage scheme plugin

dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: MD5 hash algorithm (MD5)

dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5)

dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA)

dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256)

dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384)

dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512)

dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5)

dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA)

dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256)

dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384)

dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512)

[root@qeos-26 yum.repos.d]# 

--------------------------------------------------------------------

Test Results for 389-ds-base-1.3.7.5-22.el7_5.x86_64

[root@qeos-26 yum.repos.d]# date 
Mon May 28 05:08:36 EDT 2018
[root@qeos-26 yum.repos.d]# rpm -q 389-ds-base
389-ds-base-1.3.7.5-22.el7_5.x86_64
[root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: PBKDF2_SHA256
> EOF
modifying entry "cn=config"

[root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription
dn: cn=Password Storage Schemes,cn=plugins,cn=config

dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: AES storage scheme plugin

dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: No encryption (CLEAR)

dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT)

dn: cn=CRYPT-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-MD5)

dn: cn=CRYPT-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-SHA256)

dn: cn=CRYPT-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-SHA512)

dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: DES storage scheme plugin

dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: MD5 hash algorithm (MD5)

dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5)

dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted PBKDF2 SHA256 hash algorithm (PBKDF2_SHA256)

dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA)

dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256)

dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384)

dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512)

dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5)

dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA)

dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256)

dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384)

dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512)

Comment 7 errata-xmlrpc 2018-06-26 16:49:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1988


Note You need to log in before you can comment on or make changes to this bug.