The nightly test test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage started failing in rawhide with 389ds update to 2.3.0-1.fc38.
test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage
See PR #2026 with the following report:
self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheck object at 0x7fa4cece1110> modify_pwdstoragescheme = None def test_ds_configcheck_passwordstorage(self, modify_pwdstoragescheme): """ This testcase ensures that ConfigCheck reports CRITICAL status when nsslapd-rootpwstoragescheme is set to MD5 from the required PBKDF2_SHA256 """ error_msg = ( "\n\nIn Directory Server, we offer one hash suitable for this " "(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)." "\n\nYour configuration does not use these for password storage " "or the root password storage\nscheme.\n" ) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ds.config", "ConfigCheck", ) assert returncode == 1 for check in data: if check["kw"]["key"] == "DSCLE0002": assert check["result"] == "CRITICAL" assert "cn=config" in check["kw"]["items"] > assert error_msg in check["kw"]["msg"] E assert '\n\nIn Directory Server, we offer one hash suitable for this (PBKDF2_SHA256) and one hash\nfor "legacy" support (SSHA512).\n\nYour configuration does not use these for password storage or the root password storage\nscheme.\n' in 'Password storage schemes in Directory Server define how passwords are hashed via a\none-way mathematical function for storage. Knowing the hash it is difficult to gain\nthe input, but knowing the input you can easily compare the hash.\n\nMany hashes are well known for cryptograhpic verification properties, but are\ndesigned to be *fast* to validate. This is the opposite of what we desire for password\nstorage. In the unlikely event of a disclosure, you want hashes to be *difficult* to\nverify, as this adds a cost of work to an attacker.\n\nIn Directory Server, we offer one hash suitable for this (PBKDF2-SHA512) and one hash\nfor "legacy" support (SSHA512).\n\nYour configuration does not use these for password storage or the root password storage\nscheme.\n'
With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.
Previously the message was:
"\n\nIn Directory Server, we offer one hash suitable for this " "(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)." "\n\nYour configuration does not use these for password storage " "or the root password storage\nscheme.\n"
but now the message is:
\n\nIn Directory Server, we offer one hash suitable for this " "(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)." "\n\nYour configuration does not use these for password storage " "or the root password storage\nscheme.\n"
PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
Metadata Update from @frenaud: - Issue assigned to ssidhaye@redhat.com
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6450 - Issue tagged with: tests
master:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
The fix needs to be backported to 4.9
Backport PR: https://github.com/freeipa/freeipa/pull/6657
ipa-4-9:
Login to comment on this ticket.