2239170 – Passwords are not being updated to use the configured storage scheme ( nsslapd-enable-upgrade-hash is enabled ).

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2239170 - Passwords are not being updated to use the configured storage scheme ( nsslapd-enable-upgrade-hash is enabled ).

Summary: Passwords are not being updated to use the configured storage scheme ( nsslap...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	11.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	DS12.5
Target Release:	dirsrv-12.5
Assignee:	LDAP Maintainers
QA Contact:	LDAP QA Team
Docs Contact:	Evgenia Martynyuk
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-09-15 17:00 UTC by Têko Mihinto
Modified:	2024-06-26 13:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-06-26 13:49:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	DIRSRV-18	0	None	None	Red Hat Issue Tracker	2024-06-26 13:49:43 UTC
Red Hat Issue Tracker	IDMDS-4131	0	None	None	None	2024-02-14 16:33:04 UTC

Description Têko Mihinto 2023-09-15 17:00:13 UTC

Description of problem:
nsslapd-enable-upgrade-hash is enabled:

$ dsconf <INSTANCE> config get nsslapd-enable-upgrade-hash
nsslapd-enable-upgrade-hash: on
$

Passwords are updated to use a stronger scheme when moving from SSHA512 to PBKDF2_SHA256
but other combinations are failing.

Version-Release number of selected component (if applicable):

$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)
$
$ rpm -qa | grep ^389-ds
389-ds-base-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
389-ds-base-libs-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
$

How reproducible:
Always.

Steps to Reproduce:
1. Enable "nsslapd-enable-upgrade-hash"
2. Set the password storage scheme to "CRYPT"
3. Create a user with a password
4. Check the storage scheme of the password
5. Change the scheme to "CRYPT-SHA512" or "PBKDF2_SHA256"
6. Perform a successful BIND
7. Check with which scheme the password is encrypted.

Actual results:
A password encrypted with the "CRYPT" scheme is not updated to stronger schemes upon a successful BIND 

Expected results:
Passwords should be updated to use the configured and stronger scheme.

Additional info:

Comment 1 Têko Mihinto 2023-09-15 17:03:22 UTC

This is working fine when moving from SSHA512 to PBKDF2_SHA256.

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password: 
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e1NTSEE1MTJ9Y0tUcThlcnNDeSszOXRLaThpV1dUVjM2M0dIdUxWNVMrT3FJVXp4OVZNbHBkcytBMUdZTWo4Z0NJNllGQmZwY3hGTkdRMnpET3RPNml2NFdLam55b3oxdFFmK3hmZ0dl

$
$ echo e1NTSEE1MTJ9Y0tUcThlcnNDeSszOXRLaThpV1dUVjM2M0dIdUxWNVMrT3FJVXp4OVZNbHBkcytBMUdZTWo4Z0NJNllGQmZwY3hGTkdRMnpET3RPNml2NFdLam55b3oxdFFmK3hmZ0dl| base64 --decode
{SSHA512}cKTq8ersCy+39tKi8iWWTV363GHuLV5S+OqIUzx9VMlpds+A1GYMj8gCI6YFBfpcxFNGQ2zDOtO6iv4WKjnyoz1tQf+xfgGe# 
$

$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://localhost:1636: 
Successfully updated global password policy
$

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password: 
dn:
defaultNamingContext: dc=cette,dc=localdomain
$

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password: 
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFCbVIzZlEvS1NJbWpBMVVjMmVCejk4MDYwN252SWRTM0ZmVkdLdW9LQURvLzlYMzNUckkzWkFPTTBWdGVwaE8xdlB2eVdZWFR6M2Y5cTFjTklhcGpZQzBpNEd1Q3hJYTVxVHpBRnJXWE9vdXpXTUl1U1lNeFRPSWR6cG5YQjBuTUhFZXQ4aE1KbmwyTlV2UWdISDJuU2QxRWN3Sk1iMUZwRDlvK3lVMlVFYy91WjBPWVAwci80Qlo1N2M1eFdqZW12RE5tbVlTMy9hQ1FUeVlJY28xK3NHOHhTSGlHSU01aHpvYVplR3BKQU11SnBtVyt2aEpZbjdzUE5PamljM1pnSGZRSjhOYVd3UkFsTTBKNHZiNmV1M1A1ZXpCdytRQ2J5OTcrWHU4eGIyc3JqV2VUSkVkeTJVWlM0aUJOZ0ZCeVpQdWI4RFdPQmVKb1l1TnZueVE3OEEzWTFOU0xyNFZEbFZMVTdoeUZIRS9hRk5EMzhBRkFpMG5FMXFQSnQvbHRUemlIYkFRWXRXU1A4a0w2Z1ZEdXpibXRHMkpDRUJUcERtNVhtRXdZOWM1

$

$ echo "e1BCS0RGMl9TSEEyNTZ9QUFBSUFCbVIzZlEvS1NJbWpBMVVjMmVCejk4MDYwN252SWRTM0ZmVkdLdW9LQURvLzlYMzNUckkzWkFPTTBWdGVwaE8xdlB2eVdZWFR6M2Y5cTFjTklhcGpZQzBpNEd1Q3hJYTVxVHpBRnJXWE9vdXpXTUl1U1lNeFRPSWR6cG5YQjBuTUhFZXQ4aE1KbmwyTlV2UWdISDJuU2QxRWN3Sk1iMUZwRDlvK3lVMlVFYy91WjBPWVAwci80Qlo1N2M1eFdqZW12RE5tbVlTMy9hQ1FUeVlJY28xK3NHOHhTSGlHSU01aHpvYVplR3BKQU11SnBtVyt2aEpZbjdzUE5PamljM1pnSGZRSjhOYVd3UkFsTTBKNHZiNmV1M1A1ZXpCdytRQ2J5OTcrWHU4eGIyc3JqV2VUSkVkeTJVWlM0aUJOZ0ZCeVpQdWI4RFdPQmVKb1l1TnZueVE3OEEzWTFOU0xyNFZEbFZMVTdoeUZIRS9hRk5EMzhBRkFpMG5FMXFQSnQvbHRUemlIYkFRWXRXU1A4a0w2Z1ZEdXpibXRHMkpDRUJUcERtNVhtRXdZOWM1" | base64 --decode ; echo
{PBKDF2_SHA256}AAAIABmR3fQ/KSImjA1Uc2eBz980607nvIdS3FfVGKuoKADo/9X33TrI3ZAOM0VtephO1vPvyWYXTz3f9q1cNIapjYC0i4GuCxIa5qTzAFrWXOouzWMIuSYMxTOIdzpnXB0nMHEet8hMJnl2NUvQgHH2nSd1EcwJMb1FpD9o+yU2UEc/uZ0OYP0r/4BZ57c5xWjemvDNmmYS3/aCQTyYIco1+sG8xSHiGIM5hzoaZeGpJAMuJpmW+vhJYn7sPNOjic3ZgHfQJ8NaWwRAlM0J4vb6eu3P5ezBw+QCby97+Xu8xb2srjWeTJEdy2UZS4iBNgFByZPub8DWOBeJoYuNvnyQ78A3Y1NSLr4VDlVLU7hyFHE/aFND38AFAi0nE1qPJt/ltTziHbAQYtWSP8kL6gVDuzbmtG2JCEBTpDm5XmEwY9c5
$

Comment 2 Têko Mihinto 2023-09-15 17:07:39 UTC

It's failing when moving from other storage schemes:

Using CRYPT scheme:
+++++++++++++++++++++++

$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=CRYPT
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$

Created a new password here.

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=

$
$ echo e2NyeXB0fU9CYjVsVlBiQkQzODY= | base64 --decode ; echo
{crypt}OBb5lVPbBD386
$


Using CRYPT-SHA512 scheme:
+++++++++++++++++++++++++++

$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=CRYPT-SHA512
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password:
dn:
defaultNamingContext: dc=cette,dc=localdomain

$

Password is not updated to use the new scheme:

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=

$

Using PBKDF2_SHA256 scheme:
+++++++++++++++++++++++++++++

$ dsconf -D "cn=Directory Manager" ldaps://localhost:1636 pwpolicy set --pwdscheme=PBKDF2_SHA256
Enter password for cn=Directory Manager on ldaps://localhost:1636:
Successfully updated global password policy
$

$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=User_1,ou=people,dc=example,dc=com" -W -H ldaps://localhost:1636 -b "" -sbase defaultNamingContext
Enter LDAP Password:
dn:
defaultNamingContext: dc=cette,dc=localdomain

$
$ ldapsearch -xLLL  -o ldif-wrap=no -D "cn=Directory Manager" -W -H ldaps://localhost:1636 -b "dc=example,dc=com" cn=User_1 userPassword
Enter LDAP Password:
dn: cn=User_1,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fU9CYjVsVlBiQkQzODY=

$

Password is still encrypted with the CRYPT scheme.

Comment 3 Viktor Ashirov 2024-06-26 13:49:44 UTC

This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-18. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.