#9238 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

The nightly test test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage started failing in rawhide with 389ds update to 2.3.0-1.fc38.

See PR #2026 with the following report:

self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheck object at 0x7fa4cece1110>
modify_pwdstoragescheme = None

    def test_ds_configcheck_passwordstorage(self, modify_pwdstoragescheme):
        """
        This testcase ensures that ConfigCheck reports CRITICAL
        status when nsslapd-rootpwstoragescheme is set to MD5
        from the required PBKDF2_SHA256
        """
        error_msg = (
            "\n\nIn Directory Server, we offer one hash suitable for this "
            "(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
            "\n\nYour configuration does not use these for password storage "
            "or the root password storage\nscheme.\n"
        )
        returncode, data = run_healthcheck(
            self.master, "ipahealthcheck.ds.config", "ConfigCheck",
        )
        assert returncode == 1
        for check in data:
            if check["kw"]["key"] == "DSCLE0002":
                assert check["result"] == "CRITICAL"
                assert "cn=config" in check["kw"]["items"]
>               assert error_msg in check["kw"]["msg"]
E               assert '\n\nIn Directory Server, we offer one hash suitable for this (PBKDF2_SHA256) and one hash\nfor "legacy" support (SSHA512).\n\nYour configuration does not use these for password storage or the root password storage\nscheme.\n' in 'Password storage schemes in Directory Server define how passwords are hashed via a\none-way mathematical function for storage. Knowing the hash it is difficult to gain\nthe input, but knowing the input you can easily compare the hash.\n\nMany hashes are well known for cryptograhpic verification properties, but are\ndesigned to be *fast* to validate. This is the opposite of what we desire for password\nstorage. In the unlikely event of a disclosure, you want hashes to be *difficult* to\nverify, as this adds a cost of work to an attacker.\n\nIn Directory Server, we offer one hash suitable for this (PBKDF2-SHA512) and one hash\nfor "legacy" support (SSHA512).\n\nYour configuration does not use these for password storage or the root password storage\nscheme.\n'

With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.

Previously the message was:

"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

but now the message is:

\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

PBKDF2_SHA256 has been replaced with PBKDF2-SHA512


Metadata Update from @frenaud:
- Issue assigned to ssidhaye@redhat.com

2 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6450
- Issue tagged with: tests

2 years ago

master:

  • 42f73ea With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.

ipa-4-10:

  • 5477a07 With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

The fix needs to be backported to 4.9

ipa-4-9:

  • e8ef2c2 With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.

Log in to comment on this ticket.

Metadata