Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1833266
Description of problem: An upgraded version of 389-ds 1.4.1.6 will raise errors in the logs due to the inability to update passwords to new password-schemes. Version-Release number of selected component (if applicable): 389-ds 1.4.1.6 How reproducible: Always Steps to Reproduce: 1. Install IDM prior 389-ds 1.4.1.6 2. Create users and passwords 3. Upgrade to 389-ds 1.4.1.6 or later Actual results: Warning messages written to /var/log/dirsrv/slapd-<instance>/errors: WARN - update_pw_encoding - Modify error 19 on entry '<user-dn>' Expected results: No warning messages reported Additional info: Due to the integration of kerberos into IDM, passwords need to be given in cleartext in order to be updated. As there are only hashes stored in IDM, the update_pw_encoding() mechanism will not be able to update these and raises the warning messages.
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1833266
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4674 - Issue assigned to cheimes - Issue priority set to: important - Issue tagged with: bug
master:
ipa-4-8:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to 389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
Log in to comment on this ticket.