Bug 1579700
| Summary: | Upgrade script doesn't enable PBKDF password storage plug-in [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.0 | CC: | aborah, mmuehlfe, mreynolds, msauton, nkinder, rmeggins |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.7.5-22 | Doc Type: | Bug Fix |
| Doc Text: |
If a Red Hat Directory Server instance was installed using version 10.1.0 or earlier and subsequently updated, the update script did not enable the Password-Based Key Derivation Function version 2 (PBKDF2) plug-in. As a consequence, the PBKDF2_SHA256 password storage scheme could not be used in the nsslapd-rootpwstoragescheme and passwordStorageScheme parameter. This update automatically enables the plug-in. As a result, administrators can now use the PBKDF2_SHA256 password storage scheme.
|
Story Points: | --- |
| Clone Of: | 1576485 | Environment: | |
| Last Closed: | 2018-06-26 16:49:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1576485 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-05-18 07:20:25 UTC
Test result for 389-ds-base-1.3.5.10-11.el7.x86_64 [root@qeos-26 yum.repos.d]# date Mon May 28 04:57:36 EDT 2018 [root@qeos-26 yum.repos.d]# rpm -q 389-ds-base 389-ds-base-1.3.5.10-21.el7_3.x86_64 [root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF > dn: cn=config > changetype: modify > replace: passwordStorageScheme > passwordStorageScheme: PBKDF2_SHA256 > EOF modifying entry "cn=config" ldap_modify: Operations error (1) additional info: passwordStorageScheme: invalid scheme - PBKDF2_SHA256. Valid schemes are: SSHA, SSHA256, SSHA384, SSHA512, SHA, SHA256, SHA384, SHA512, CRYPT, MD5, SMD5, CLEAR, [root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: AES storage scheme plugin dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: No encryption (CLEAR) dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT) dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: DES storage scheme plugin dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: MD5 hash algorithm (MD5) dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5) dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA) dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256) dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384) dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512) dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5) dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA) dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256) dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384) dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512) [root@qeos-26 yum.repos.d]# --------------------------------------------- Test Result for 389-ds-base-1.3.6.1-29.el7_4.x86_64 [root@qeos-26 yum.repos.d]# date Mon May 28 05:05:12 EDT 2018 [root@qeos-26 yum.repos.d]# rpm -q 389-ds-base 389-ds-base-1.3.6.1-29.el7_4.x86_64 [root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF > dn: cn=config > changetype: modify > replace: passwordStorageScheme > passwordStorageScheme: PBKDF2_SHA256 > EOF modifying entry "cn=config" ldap_modify: Operations error (1) additional info: passwordStorageScheme: invalid scheme - PBKDF2_SHA256. Valid schemes are: CLEAR, CRYPT, MD5, SHA, SHA256, SHA384, SHA512, SMD5, SSHA, SSHA256, SSHA384, SSHA512 [root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: AES storage scheme plugin dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: No encryption (CLEAR) dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT) dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: DES storage scheme plugin dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: MD5 hash algorithm (MD5) dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5) dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA) dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256) dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384) dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512) dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5) dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA) dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256) dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384) dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512) [root@qeos-26 yum.repos.d]# -------------------------------------------------------------------- Test Results for 389-ds-base-1.3.7.5-22.el7_5.x86_64 [root@qeos-26 yum.repos.d]# date Mon May 28 05:08:36 EDT 2018 [root@qeos-26 yum.repos.d]# rpm -q 389-ds-base 389-ds-base-1.3.7.5-22.el7_5.x86_64 [root@qeos-26 yum.repos.d]# ldapmodify -D "cn=Directory Manager" -h localhost -w password -x <<EOF > dn: cn=config > changetype: modify > replace: passwordStorageScheme > passwordStorageScheme: PBKDF2_SHA256 > EOF modifying entry "cn=config" [root@qeos-26 yum.repos.d]# ldapsearch -LLL -D "cn=Directory Manager" -w password -b 'cn=Password Storage Schemes,cn=plugins,cn=config' nsslapd-pluginDescription dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: AES storage scheme plugin dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: No encryption (CLEAR) dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT) dn: cn=CRYPT-MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-MD5) dn: cn=CRYPT-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-SHA256) dn: cn=CRYPT-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Unix crypt algorithm (CRYPT-SHA512) dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: DES storage scheme plugin dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: MD5 hash algorithm (MD5) dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Netscape MD5 (NS-MTA-MD5) dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted PBKDF2 SHA256 hash algorithm (PBKDF2_SHA256) dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA) dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA256) dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA384) dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Secure Hashing Algorithm (SHA512) dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted MD5 hash algorithm (SMD5) dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA) dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA256) dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA384) dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config nsslapd-pluginDescription: Salted Secure Hashing Algorithm (SSHA512) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1988 |