#49789 By default, do not manage unhashed password
Closed: fixed 5 months ago by tbordaz. Opened a year ago by tbordaz.

Issue Description

By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL.

Unless it is used by some plugin it does not require to keep unhash password
nsslapd-unhashed-pw-switch should be 'off' by default

Package Version and Platform

1.3.1 and later

Steps to reproduce

  1. install replica and check changelog contains unhashed#user#password

Actual results

contains unhashed#user#password (db file)

Expected results

should not contain if it is not required


Metadata Update from @tbordaz:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.3.7 backlog

a year ago

Metadata Update from @tbordaz:
- Issue assigned to tbordaz

a year ago

Metadata Update from @spichugi:
- Custom field reviewstatus adjusted to ack (was: None)

a year ago

e81fa85 master
51e2f0c..f94a4fe 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
2dbb47e..3b67635 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

Backing out fix as this breaks FreeIPA:

a9fa210..172c60a master -> master

ecd826b..a47ea3a 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

It's okay to leave this in 1.3.7

Can we revisit this? I forget how it broke IPA.

@rcritten, there are two FreeIPA requirement regarding unhashed password.

ipa-pwd-extop, needs the unhashed password. so it needs to enable it BUT it looks acceptable to not log the password in the changelogs ( (i.e. 'nsslapd-unhashed-pw-switch: nolog') .

with winsync, where the unhashed password needs to be logged on all replicas (IIRC). It can be configured to log it ('nsslapd-unhashed-pw-switch: on') but the impact of the default behavior being 'off' needs evaluation.

Why not default this to off for 389-ds, and then IPA can enable the setting back to on in it's install process ... Seems like a pretty easy change IMO.

@firstyear, you are right it is a pretty easy change but it needs to be sync with FreeIPA that rely on managing/logging unhashed password. It was pushed/backout because of this need to sync with freeipa.
It should land shortly, once changes on freeipa are tested/reviewed.

Is there a freeipa pagure issue id so we can follow that here? Thanks for the information :)

Sure, this is https://pagure.io/freeipa/issue/4812.
Except usual upgrades cases the main issue is the handling of winsync that requires to manage and log unhashed password.

https://bugzilla.redhat.com/show_bug.cgi?id=1639644 --> ON_QA
https://bugzilla.redhat.com/show_bug.cgi?id=1639647--> POST

Fedora is still in POST (ON_QA for 8.1) so we are still waiting to push this fix upstream

I closed fedora bug because everything was pushed already on July 3rd with FreeIPA 4.8.0.

Metadata Update from @tbordaz:
- Issue set to the milestone: 1.4.1 (was: 1.3.7 backlog)

5 months ago

Metadata Update from @tbordaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Login to comment on this ticket.