#49789 By default, do not manage unhashed password
Opened 9 months ago by tbordaz. Modified 2 months ago

Issue Description

By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL.

Unless it is used by some plugin it does not require to keep unhash password
nsslapd-unhashed-pw-switch should be 'off' by default

Package Version and Platform

1.3.1 and later

Steps to reproduce

  1. install replica and check changelog contains unhashed#user#password

Actual results

contains unhashed#user#password (db file)

Expected results

should not contain if it is not required


Metadata Update from @tbordaz:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.3.7 backlog

9 months ago

Metadata Update from @tbordaz:
- Issue assigned to tbordaz

9 months ago

Metadata Update from @spichugi:
- Custom field reviewstatus adjusted to ack (was: None)

8 months ago

e81fa85 master
51e2f0c..f94a4fe 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
2dbb47e..3b67635 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

Backing out fix as this breaks FreeIPA:

a9fa210..172c60a master -> master

ecd826b..a47ea3a 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

It's okay to leave this in 1.3.7

Can we revisit this? I forget how it broke IPA.

@rcritten, there are two FreeIPA requirement regarding unhashed password.

ipa-pwd-extop, needs the unhashed password. so it needs to enable it BUT it looks acceptable to not log the password in the changelogs ( (i.e. 'nsslapd-unhashed-pw-switch: nolog') .

with winsync, where the unhashed password needs to be logged on all replicas (IIRC). It can be configured to log it ('nsslapd-unhashed-pw-switch: on') but the impact of the default behavior being 'off' needs evaluation.

Login to comment on this ticket.