918715 – [RFE] Add option to disable writing unhashed#user#password to changelog

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 918715 - [RFE] Add option to disable writing unhashed#user#password to changelog

Summary: [RFE] Add option to disable writing unhashed#user#password to changelog

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Sankar Ramalingam
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-06 18:16 UTC by Nathan Kinder
Modified:	2020-09-13 20:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:	389-ds-base-1.3.1.2-1.el7
Doc Type:	Enhancement
Doc Text:	Feature: A new config parameter nsslapd-unhashed-pw-switch to cn=config. The parameter takes 3 values: on - unhashed password is stored in the entry extension and logged in the changelog. nolog - unhashed password is stored in the entry extension but not logged in the changelog. off - unhashed password is not stored in the entry extension. Reason: If there is no need to store a unhashed password in the replication changelog, it could be controlled by the new config parameter.
Clone Of:
Environment:
Last Closed:	2014-06-13 09:45:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 561	0	None	closed	disable writing unhashed#user#password to changelog	2020-09-24 19:13:14 UTC

Description Nathan Kinder 2013-03-06 18:16:53 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/561

For cases where the clear text password must absolutely not be stored any where, and for cases where changelog encryption is not suitable, there should be some way to disable writing unhashed#user#password to the changelog.

Comment 1 Jenny Severance 2013-03-08 19:10:50 UTC

Introducing a config parameter nsslapd-unhashed-pw-switch
   to cn=config.  The parameter takes 3 values:
   on    - unhashed password is stored in the entry extension
           and logged in the changelog.
   nolog - unhashed password is stored in the entry extension
           but not logged in the changelog.
   off   - unhashed password is not stored in the entry extension.

Comment 2 Rich Megginson 2013-10-01 23:27:16 UTC

moving all ON_QA bugs to MODIFIED in order to add them to the errata (can't add bugs in the ON_QA state to an errata).  When the errata is created, the bugs should be automatically moved back to ON_QA.

Comment 5 Noriko Hosoi 2013-11-08 22:55:23 UTC

<Steps to verify>
1. Set up MMR
2. On one master,
2-1 Setting on to nsslapd-unhashed-pw-switch (this is the default behaviour)
2-2 Add a user with a password
2-3 dbscan changelog and check unhashed user password is stored.
3. On the master,
3-1 Setting nolog to nsslapd-unhashed-pw-switch
3-2 Add a user with a password
3-3 dbscan changelog and check unhashed user password is NOT stored.
4. On the master,
4-1 Setting off to nsslapd-unhashed-pw-switch
4-2 Add a user with a password
4-3 dbscan changelog and check unhashed user password is NOT stored.

The difference between off and nolog is ...
off: the unhashed user password is not stored in memory.
nolog: the unhashed user password is in memory for the plug-ins to use it, but not stored in the changelog.
I think you don't have to test that part since nolog is used and tested by IPA.

Comment 6 Amita Sharma 2013-11-11 08:47:19 UTC

[root@dhcp201-149 changelog]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 Beta (Maipo)

Build :: [root@dhcp201-149 changelog]# rpm -qa | grep 389
389-ds-base-1.3.1.6-8.el7.x86_64
389-ds-base-libs-1.3.1.6-8.el7.x86_64

Setup ::
tcp6       0      0 :::30100                :::*                    LISTEN      17579/./ns-slapd    
tcp6       0      0 :::30102                :::*                    LISTEN      16428/ns-slapd      
tcp6       0      0 :::30104                :::*                    LISTEN      16869/ns-slapd      
tcp6       0      0 :::30106                :::*                    LISTEN      17347/ns-slapd      
tcp6       0      0 :::7295                 :::*                    LISTEN      15170/ns-slapd

svrbld   15170     1  0 13:15 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-149 -i /var/run/dirsrv/slapd-dhcp201-149.pid -w /var/run/dirsrv/slapd-dhcp201-149.startpid
svrbld   16428     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M2 -i /var/run/dirsrv/slapd-M2.pid -w /var/run/dirsrv/slapd-M2.startpid
svrbld   16869     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M3 -i /var/run/dirsrv/slapd-M3.pid -w /var/run/dirsrv/slapd-M3.startpid
svrbld   17347     1  0 13:17 ?        00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-M4 -i /var/run/dirsrv/slapd-M4.pid -w /var/run/dirsrv/slapd-M4.startpid
svrbld   17579     1  0 13:17 ?        00:00:00 ./ns-slapd -D /etc/dirsrv/slapd-M1 -i /var/run/dirsrv/slapd-M1.pid -w /var/run/dirsrv/slapd-M1.startpid
svrbld   19322 12156  0 13:20 pts/0    00:00:00 grep --color=auto slapd

Case 1
=======
[root@dhcp201-149 etc]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch 
nsslapd-unhashed-pw-switch: on

ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma,dc=example,dc=com
cn: ams
sn: ams
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams
EOF

[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password
		unhashed#user#password: amsamsams
		unhashed#user#password: amsamsams

Case 2
=======
[root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
> dn: cn=config
> changetype: modify
> replace: nsslapd-unhashed-pw-switch
> nsslapd-unhashed-pw-switch: nolog
> EOF
modifying entry "cn=config"

[root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: nolog

ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma10,dc=example,dc=com
cn: ams
sn: ams
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams10
EOF


[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep password
		unhashed#user#password: amsamsams
		unhashed#user#password: amsamsams
[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams10
[root@dhcp201-149 changelog]#

Case3
=====
[root@dhcp201-149 changelog]# ldapmodify -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123 << EOF
dn: cn=config
changetype: modify
replace: nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: off
> EOF
modifying entry "cn=config"

[root@dhcp201-149 changelog]# ldapsearch -h localhost -p 30100 -D "cn=directory manager" -w Secret123 -b "cn=config" | grep -i nsslapd-unhashed-pw-switch
nsslapd-unhashed-pw-switch: off

[root@dhcp201-149 changelog]# ldapadd -x -h localhost -p 30100 -D "cn=Directory Manager" -w Secret123  << EOF
dn: uid=amsharma110,dc=example,dc=com
cn: ams
sn: ams                            
givenname: ams
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: ams
mail: ams
userpassword: amsamsams110
EOF

adding new entry "uid=amsharma110,dc=example,dc=com"

[root@dhcp201-149 changelog]# dbscan -f 9587a189-4aa511e3-88f5b7e0-5277f04f_52808bb9000000010000.db | grep amsamsams110
[root@dhcp201-149 changelog]# 

Hence marking VERIFIED.

Comment 9 Ludek Smid 2014-06-13 09:45:59 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.