Ticket 49421 - Implement password hash upgrade on bind.
Bug Description: As time goes on, password hash mechanisms
change and need to become more resistant to brute force and
other attacks. However long lived, and service passwords do
not change frequently - and in fact, frequent password changes
is a security anti-pattern which is now discouraged.
As a result, it's important to be able to improve the
cryptographic strength and resitance of our passwords for
users as time goes on.
Fix Description: We can implement this because during a bind
operation we have short amount of access to the plaintext
password - we then use that to upgrade the content of the
hash. This builds on Emanuel's proof of concept to improve the
testing of the feature, as well as to avoid updating clear/crypt
due to potential application integrations.
https://pagure.io/389-ds-base/issue/49421
Author: Emanuel Rietveld <https://pagure.io/user/codehotter>
William Brown <william@blackhats.net.au>
Review by: mreynolds, mhonek (Thanks!)