By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL.
Unless it is used by some plugin it does not require to keep unhash password nsslapd-unhashed-pw-switch should be 'off' by default
1.3.1 and later
contains unhashed#user#password (db file)
should not contain if it is not required
Metadata Update from @tbordaz: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 1.3.7 backlog
Metadata Update from @tbordaz: - Issue assigned to tbordaz
Metadata Update from @spichugi: - Custom field reviewstatus adjusted to ack (was: None)
e81fa85 master 51e2f0c..f94a4fe 389-ds-base-1.3.8 -> 389-ds-base-1.3.8 2dbb47e..3b67635 389-ds-base-1.3.7 -> 389-ds-base-1.3.7
Backing out fix as this breaks FreeIPA:
a9fa210..172c60a master -> master
ecd826b..a47ea3a 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
It's okay to leave this in 1.3.7
Can we revisit this? I forget how it broke IPA.
@rcritten, there are two FreeIPA requirement regarding unhashed password.
ipa-pwd-extop, needs the unhashed password. so it needs to enable it BUT it looks acceptable to not log the password in the changelogs ( (i.e. 'nsslapd-unhashed-pw-switch: nolog') .
with winsync, where the unhashed password needs to be logged on all replicas (IIRC). It can be configured to log it ('nsslapd-unhashed-pw-switch: on') but the impact of the default behavior being 'off' needs evaluation.
Metadata Update from @tbordaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228
Metadata Update from @tbordaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228)
Metadata Update from @tbordaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226, https://bugzilla.redhat.com/show_bug.cgi?id=1639644 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226)
Why not default this to off for 389-ds, and then IPA can enable the setting back to on in it's install process ... Seems like a pretty easy change IMO.
@firstyear, you are right it is a pretty easy change but it needs to be sync with FreeIPA that rely on managing/logging unhashed password. It was pushed/backout because of this need to sync with freeipa. It should land shortly, once changes on freeipa are tested/reviewed.
Is there a freeipa pagure issue id so we can follow that here? Thanks for the information :)
Sure, this is https://pagure.io/freeipa/issue/4812. Except usual upgrades cases the main issue is the handling of winsync that requires to manage and log unhashed password.
Great, thank you!
Metadata Update from @tbordaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226, https://bugzilla.redhat.com/show_bug.cgi?id=1639644,https://bugzilla.redhat.com/show_bug.cgi?id=1639647 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226, https://bugzilla.redhat.com/show_bug.cgi?id=1639644)
https://pagure.io/freeipa/issue/4812 was pushed upstream. Waiting for https://bugzilla.redhat.com/show_bug.cgi?id=1639644 (8.1) and https://bugzilla.redhat.com/show_bug.cgi?id=1639647 (Fedora) to be MODIFIED to push this 389-ds patch upstream
https://bugzilla.redhat.com/show_bug.cgi?id=1639644 --> ON_QA https://bugzilla.redhat.com/show_bug.cgi?id=1639647--> POST
Fedora is still in POST (ON_QA for 8.1) so we are still waiting to push this fix upstream
I closed fedora bug because everything was pushed already on July 3rd with FreeIPA 4.8.0.
https://pagure.io/389-ds-base/pull-request/50496
b84669f..104be99 master
align milestone to release https://bugzilla.redhat.com/show_bug.cgi?id=1639644 -> 1.4.1
Metadata Update from @tbordaz: - Issue set to the milestone: 1.4.1 (was: 1.3.7 backlog)
Metadata Update from @tbordaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2848
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.