545620 – Password cannot start with minus sign

Bug 545620 - Password cannot start with minus sign

Summary: Password cannot start with minus sign

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Install/Uninstall
Sub Component:
Version:	1.3.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nathan Kinder
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	389_1.2.6 639035
TreeView+	depends on / blocked

Reported:	2009-12-08 23:35 UTC by Endi Sukma Dewata
Modified:	2015-01-23 04:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-23 04:21:04 UTC
Embargoed:

Attachments	(Terms of Use)
Patch (1.00 KB, patch) 2010-03-03 19:17 UTC, Endi Sukma Dewata	rmeggins: review+	Details \| Diff
View All

Description Endi Sukma Dewata 2009-12-08 23:35:26 UTC

A minus (-) sign at the beginning of the password will cause a problem during DS instance creation. The minus sign will be interpreted incorrectly as an option by the pwdhash so it will fail.

This problem sometimes affects Samba test, although very rarely, because the test generates random passwords that may include this character.

Given a fixed input, this problem can be reproduced consistently. Execute start-ds.pl and enter a password starting with a minus sign:

Directory Manager DN [cn=Directory Manager]:
Password: -abcdefg
Password (confirm): -abcdefg
/usr/bin/pwdhash-bin: invalid option -- 'a'
usage: /usr/bin/pwdhash-bin -D config-dir [-H] [-s scheme | -c comparepwd ] password...
Could not import LDIF file '/tmp/ldifYNMV3w.ldif'.  Error: 256.  Output: importing data ...
[08/Dec/2009:16:34:21 -0600] dse - The entry cn=config in file /etc/dirsrv/slapd-test/dse.ldif is invalid, error code 89 (Bad parameter to an ldap routine) - nsslapd-rootpw: password scheme mismatch (passwd scheme is SSHA; password is clear
text)
[08/Dec/2009:16:34:21 -0600] dse - Could not load config file [dse.ldif]
[08/Dec/2009:16:34:21 -0600] dse - Please edit the file to correct the reported problems and then restart the server.

Rich suggested that the pwdhash should support a '--' parameter and the setup tool should be changed to call 'pwdhash -- $pwdtohash' to avoid this problem.

The failure to load dse.ldif is caused by empty nsslapd-rootpw, presumably caused by the pwdhash failure earlier. The setup tool should terminate as soon as a problem with pwdhash is detected.

Comment 1 Endi Sukma Dewata 2010-03-03 19:17:12 UTC

Created attachment 397640 [details]
Patch

Patch tested on Fedora 12.

Comment 2 Rich Megginson 2010-03-03 20:32:34 UTC

pushed to master

To ssh://git.fedorahosted.org/git/389/ds.git
   0f6734d..e8f5064  master -> master
commit e8f50642bd3e19ad528b453850304611ab86506d
Author: Endi S. Dewata <edewata>
Date:   Wed Mar 3 13:25:45 2010 -0600

Comment 4 Amita Sharma 2011-07-27 13:48:21 UTC

Thanks Nathan for the steps :)
Tested Comment#3 working fine :
 ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w -amitasharma -b "cn=config"

ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w -amita-sharma- -b "cn=config"

Marking as VERiFIED.

Comment 6 Nathan Kinder 2015-01-23 04:21:04 UTC

This fix was included long ago in 389-ds-base-1.2.6.  Closing this out.

Note You need to log in before you can comment on or make changes to this bug.