-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
389-ds-base-2.6.1-1.el9
-
No
-
Moderate
-
rhel-idm-ds
-
26
-
0
-
False
-
False
-
-
Yes
-
None
-
Pass
-
Automated
-
Enhancement
-
-
Done
-
None
Description of problem:
nsslapd-enable-upgrade-hash is enabled:
$ dsconf <INSTANCE> config get nsslapd-enable-upgrade-hash
nsslapd-enable-upgrade-hash: on
$
Passwords are updated to use a stronger scheme when moving from SSHA512 to PBKDF2_SHA256
but other combinations are failing.
Version-Release number of selected component (if applicable):
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.8 (Ootpa)
$
$ rpm -qa | grep ^389-ds
389-ds-base-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
389-ds-base-libs-1.4.3.34-1.module+el8dsrv+18528+22f7779f.x86_64
$
How reproducible:
Always.
Steps to Reproduce:
1. Enable "nsslapd-enable-upgrade-hash"
2. Set the password storage scheme to "CRYPT"
3. Create a user with a password
4. Check the storage scheme of the password
5. Change the scheme to "CRYPT-SHA512" or "PBKDF2_SHA256"
6. Perform a successful BIND
7. Check with which scheme the password is encrypted.
Actual results:
A password encrypted with the "CRYPT" scheme is not updated to stronger schemes upon a successful BIND
Expected results:
Passwords should be updated to use the configured and stronger scheme.
Additional info:
- external trackers
- links to
-
RHBA-2024:144130 389-ds-base bug fix and enhancement update