6a0ece1 Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema

Authored and Committed by mreynolds 3 years ago
    Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
    
    Description:
    
    FreeIPA LDAP update code relies on the schema retrieval when
    deciding what to do with values of single-valued LDAP attributes.
    In the case attribute is single-valued and some value was present
    in the original entry for this attribute, it would use MOD_REPLACE.
    Otherwise, it uses MOD_DELETE + MOD_ADD.
    
    Many attributes used in cn=config entries have no formal schema
    defined. Since by default an attribute is multi-valued, this fails
    the logic above for actual single-valued attributes, like
    nsslapd-enable-upgrade-hash. It means FreeIPA has to write special
    logic to handle just this attribute.
    
    It would be good to expose schema for nsslapd-enable-upgrade-hash.
    We need to change its value to off in all FreeIPA installations
    because ipa-pwd-extop plugin prevents hashed passwords in updates
    due to a need to regenerate Kerberos hashes on a password change.
    It means upgrade of a password hash on LDAP bind will never work
    in FreeIPA.
    
    Note - this does move us closer to our goal of adding all the
    configuration attributes to the schema.
    
    fixes: https://pagure.io/389-ds-base/issue/51078
    
    Reviewed by: mreynolds (one line commit rule)
    
        
file modified
+1 -0