Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62875

Passwords are not being updated to use the configured storage scheme ( nsslapd-enable-upgrade-hash is enabled ).

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.6
    • None
    • 389-ds-base
    • 389-ds-base-2.6.1-1.el9
    • No
    • Moderate
    • rhel-idm-ds
    • 26
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .Directory Server now can update passwords with the CRYPT or CLEAR hashing algorithm after a successful bind

      Before this update, Directory Server had a hard-coded list of hashing algorithms that were excluded from the password update during successful binds. Directory Server did not update user passwords that had the CRYPT or CLEAR hashing algorithm configured in the `passwordStorageScheme` attribute.

      With this update, you can set the list of hashing algorithms that must be excluded from password updates by using the `nsslapd-scheme-list-no-upgrade-hash` configuration attribute. By default, `nsslapd-scheme-list-no-upgrade-hash` contains CRYPT and CLEAR for backward compatibility.
      Show
      .Directory Server now can update passwords with the CRYPT or CLEAR hashing algorithm after a successful bind Before this update, Directory Server had a hard-coded list of hashing algorithms that were excluded from the password update during successful binds. Directory Server did not update user passwords that had the CRYPT or CLEAR hashing algorithm configured in the `passwordStorageScheme` attribute. With this update, you can set the list of hashing algorithms that must be excluded from password updates by using the `nsslapd-scheme-list-no-upgrade-hash` configuration attribute. By default, `nsslapd-scheme-list-no-upgrade-hash` contains CRYPT and CLEAR for backward compatibility.
    • Done
    • None

      Description of problem:
      nsslapd-enable-upgrade-hash is enabled:

      $ dsconf <INSTANCE> config get nsslapd-enable-upgrade-hash
      nsslapd-enable-upgrade-hash: on
      $

      Passwords are updated to use a stronger scheme when moving from SSHA512 to PBKDF2_SHA256
      but other combinations are failing.

      Version-Release number of selected component (if applicable):

      $ cat /etc/redhat-release
      Red Hat Enterprise Linux release 8.8 (Ootpa)
      $
      $ rpm -qa | grep ^389-ds
      389-ds-base-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
      389-ds-base-libs-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
      $

      How reproducible:
      Always.

      Steps to Reproduce:
      1. Enable "nsslapd-enable-upgrade-hash"
      2. Set the password storage scheme to "CRYPT"
      3. Create a user with a password
      4. Check the storage scheme of the password
      5. Change the scheme to "CRYPT-SHA512" or "PBKDF2_SHA256"
      6. Perform a successful BIND
      7. Check with which scheme the password is encrypted.

      Actual results:
      A password encrypted with the "CRYPT" scheme is not updated to stronger schemes upon a successful BIND

      Expected results:
      Passwords should be updated to use the configured and stronger scheme.

      Additional info:

              idm-ds-dev-bugs IdM DS Dev
              rhn-support-tmihinto Têko Mihinto
              IdM DS Dev IdM DS Dev
              Viktor Ashirov Viktor Ashirov
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: