From e71dc2707950d2a98fa052849793908bf2d7f85f Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: May 08 2020 19:14:46 +0000 Subject: Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema Description: FreeIPA LDAP update code relies on the schema retrieval when deciding what to do with values of single-valued LDAP attributes. In the case attribute is single-valued and some value was present in the original entry for this attribute, it would use MOD_REPLACE. Otherwise, it uses MOD_DELETE + MOD_ADD. Many attributes used in cn=config entries have no formal schema defined. Since by default an attribute is multi-valued, this fails the logic above for actual single-valued attributes, like nsslapd-enable-upgrade-hash. It means FreeIPA has to write special logic to handle just this attribute. It would be good to expose schema for nsslapd-enable-upgrade-hash. We need to change its value to off in all FreeIPA installations because ipa-pwd-extop plugin prevents hashed passwords in updates due to a need to regenerate Kerberos hashes on a password change. It means upgrade of a password hash on LDAP bind will never work in FreeIPA. Note - this does move us closer to our goal of adding all the configuration attributes to the schema. fixes: https://pagure.io/389-ds-base/issue/51078 Reviewed by: mreynolds (one line commit rule) --- diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index f4123f2..24e81f9 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -314,6 +314,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2353 NAME 'nsslapd-encryptionalgorithm' attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A symmetric key - currently used by attribute encryption' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'attribute encryption' ) attributeTypes: ( 2.16.840.1.113730.3.1.2364 NAME 'nsds5replicaLastInitStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME 'nsds5replicaLastUpdateStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2370 NAME 'nsslapd-enable-upgrade-hash' DESC 'Upgrade password hash on bind' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) # # objectclasses #