Issue #49789: By default, do not manage unhashed password - 389-ds-base

389-ds-base

#49789 By default, do not manage unhashed password

Opened 5 months ago by tbordaz. Modified 17 days ago

Issue Description

By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL.

Unless it is used by some plugin it does not require to keep unhash password
nsslapd-unhashed-pw-switch should be 'off' by default

Package Version and Platform

1.3.1 and later

Steps to reproduce

install replica and check changelog contains unhashed#user#password

Actual results

contains unhashed#user#password (db file)

Expected results

should not contain if it is not required

Metadata Update from @tbordaz:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.3.7 backlog

5 months ago

Metadata Update from @tbordaz:
- Issue assigned to tbordaz

5 months ago

Metadata Update from @spichugi:
- Custom field reviewstatus adjusted to ack (was: None)

4 months ago

tbordaz commented 4 months ago

e81fa85 master
51e2f0c..f94a4fe 389-ds-base-1.3.8 -> 389-ds-base-1.3.8
2dbb47e..3b67635 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

Edited 4 months ago by tbordaz

mreynolds commented 4 months ago

Backing out fix as this breaks FreeIPA:

a9fa210..172c60a master -> master

ecd826b..a47ea3a 389-ds-base-1.3.8 -> 389-ds-base-1.3.8

It's okay to leave this in 1.3.7

rcritten commented 23 days ago

Can we revisit this? I forget how it broke IPA.

tbordaz commented 23 days ago

@rcritten, there are two FreeIPA requirement regarding unhashed password.

ipa-pwd-extop, needs the unhashed password. so it needs to enable it BUT it looks acceptable to not log the password in the changelogs ( (i.e. 'nsslapd-unhashed-pw-switch: nolog') .

with winsync, where the unhashed password needs to be logged on all replicas (IIRC). It can be configured to log it ('nsslapd-unhashed-pw-switch: on') but the impact of the default behavior being 'off' needs evaluation.

Metadata Update from @tbordaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228

17 days ago

Metadata Update from @tbordaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228, https://bugzilla.redhat.com/show_bug.cgi?id=1592226 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1595766,https://bugzilla.redhat.com/show_bug.cgi?id=1592228)

17 days ago

Metadata

Assignee

tbordaz

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

1.3.7 backlog

reviewstatus

ack

component

None

version

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1595766
https://bugzilla.redhat.com/show_bug.cgi?id=1592228
https://bugzilla.redhat.com/show_bug.cgi?id=1592226

keywords

None

origin

None

type

None

389-ds-base

Source Code

#49789 By default, do not manage unhashed password Opened 5 months ago by tbordaz. Modified 17 days ago

Close issue as:

Issue Description

Package Version and Platform

Steps to reproduce

Actual results

Expected results

Metadata

#49789 By default, do not manage unhashed password

Opened 5 months ago by tbordaz. Modified 17 days ago