Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 545620

Summary: Password cannot start with minus sign
Product: [Retired] 389 Reporter: Endi Sukma Dewata <edewata>
Component: Install/UninstallAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 1.3.0CC: amsharma, nhosoi, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-23 04:21:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 543590, 639035    
Attachments:
Description Flags
Patch rmeggins: review+

Description Endi Sukma Dewata 2009-12-08 23:35:26 UTC 
A minus (-) sign at the beginning of the password will cause a problem during DS instance creation. The minus sign will be interpreted incorrectly as an option by the pwdhash so it will fail.

This problem sometimes affects Samba test, although very rarely, because the test generates random passwords that may include this character.

Given a fixed input, this problem can be reproduced consistently. Execute start-ds.pl and enter a password starting with a minus sign:

Directory Manager DN [cn=Directory Manager]:
Password: -abcdefg
Password (confirm): -abcdefg
/usr/bin/pwdhash-bin: invalid option -- 'a'
usage: /usr/bin/pwdhash-bin -D config-dir [-H] [-s scheme | -c comparepwd ] password...
Could not import LDIF file '/tmp/ldifYNMV3w.ldif'.  Error: 256.  Output: importing data ...
[08/Dec/2009:16:34:21 -0600] dse - The entry cn=config in file /etc/dirsrv/slapd-test/dse.ldif is invalid, error code 89 (Bad parameter to an ldap routine) - nsslapd-rootpw: password scheme mismatch (passwd scheme is SSHA; password is clear
text)
[08/Dec/2009:16:34:21 -0600] dse - Could not load config file [dse.ldif]
[08/Dec/2009:16:34:21 -0600] dse - Please edit the file to correct the reported problems and then restart the server.

Rich suggested that the pwdhash should support a '--' parameter and the setup tool should be changed to call 'pwdhash -- $pwdtohash' to avoid this problem.

The failure to load dse.ldif is caused by empty nsslapd-rootpw, presumably caused by the pwdhash failure earlier. The setup tool should terminate as soon as a problem with pwdhash is detected.
Comment 1 Endi Sukma Dewata 2010-03-03 19:17:12 UTC 
Created attachment 397640 [details]
Patch

Patch tested on Fedora 12.
Comment 2 Rich Megginson 2010-03-03 20:32:34 UTC 
pushed to master

To ssh://git.fedorahosted.org/git/389/ds.git
   0f6734d..e8f5064  master -> master
commit e8f50642bd3e19ad528b453850304611ab86506d
Author: Endi S. Dewata <edewata>
Date:   Wed Mar 3 13:25:45 2010 -0600
Comment 4 Amita Sharma 2011-07-27 13:48:21 UTC 
Thanks Nathan for the steps :)
Tested Comment#3 working fine :
 ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w -amitasharma -b "cn=config"

ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w -amita-sharma- -b "cn=config"

Marking as VERiFIED.
Comment 6 Nathan Kinder 2015-01-23 04:21:04 UTC 
This fix was included long ago in 389-ds-base-1.2.6.  Closing this out.