Bug 182509 - RFE: cleartext userPassword value is sent unencrypted
RFE: cleartext userPassword value is sent unencrypted
Product: 389
Classification: Community
Component: Replication - General (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
Depends On:
Blocks: 512820 690319
  Show dependency treegraph
Reported: 2006-02-22 17:24 EST by Ulf Weltman
Modified: 2015-01-04 18:19 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-01-09 17:47:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ulf Weltman 2006-02-22 17:24:58 EST
Description of problem:
When a changelog is enabled and a userPassword is modified, both the hash and
the cleartext are logged for winsync's benefit:
replace: userPassword
userPassword: {SSHA}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
replace: unhashed#user#password
unhashed#user#password: secret12

The change (including the cleartext password) is sent to replicas (where the
cleartext password is actually ignored, see #182507).

We should probably require that MMR is configured with SSL if passwords are sent
in the clear.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Configure two replicas with MMR, M1 and M2.
2.Change a userPassword in M2.

Actual results:

Expected results:

Additional info:
Comment 1 Sander Grendelman 2006-10-12 05:07:30 EDT
The "unhashed#user#password" value is also stored in plain text in the
replication changelog under /opt/fedora-ds/slapd-<instance>/changelogdb/ .
Comment 2 Rich Megginson 2006-10-12 13:47:35 EDT
We are working to address this issue in the upcoming RHDS 7.2 release.  The fix
will also go into the next version of Fedora DS.
Comment 3 Ulf Weltman 2006-10-12 14:02:10 EDT
Yes, by being changelogged is how it ends up getting replayed to replicas.

Rich, without unhashed#user#password it's not possible to write password policy
plugins since the userPassword is already hashed when MOD pre-op is called so
you're not taking it out I guess.  Is the fix to skip it for changelogging?
Comment 4 Rich Megginson 2006-10-12 14:07:05 EDT
Yes.  I think the fix will involve these things:
1) Do not store unhashed#user#password in the changelog or send it over the wire
2) Disable password syntax checking and password policy for replicated changes

Note that if using Digest MD5 for authentication, you must store the clear text
password in the database, in the userPassword attribute.
Comment 9 Rich Megginson 2008-06-23 13:49:39 EDT
Note that with RHDS 8.0.0-14 and later, you can use fractional replication to
exclude that attribute.
Comment 10 Rich Megginson 2009-01-14 12:55:07 EST
revisit in 8.2
Comment 16 Martin Kosek 2012-01-04 08:50:06 EST
Upstream ticket:
Comment 17 Noriko Hosoi 2012-01-09 17:47:27 EST
This issue had been already treated when bz 182507 was solved.

Note You need to log in before you can comment on or make changes to this bug.