By default, do not manage unhashed password #2848
Comments
|
Comment from tbordaz (@tbordaz) at 2018-06-18 12:07:33 Metadata Update from @tbordaz:
|
|
Comment from tbordaz (@tbordaz) at 2018-06-18 12:07:38 Metadata Update from @tbordaz:
|
|
Comment from spichugi (@droideck) at 2018-07-16 20:54:38 Metadata Update from @droideck:
|
|
Comment from mreynolds (@mreynolds389) at 2018-07-18 18:04:52 Backing out fix as this breaks FreeIPA: a9fa210..172c60a master -> master ecd826b..a47ea3a 389-ds-base-1.3.8 -> 389-ds-base-1.3.8 It's okay to leave this in 1.3.7 |
|
Comment from rcritten (@rcritten) at 2018-10-09 19:56:54 Can we revisit this? I forget how it broke IPA. |
|
Comment from tbordaz (@tbordaz) at 2018-10-10 09:58:15 @rcritten, there are two FreeIPA requirement regarding unhashed password. ipa-pwd-extop, needs the unhashed password. so it needs to enable it BUT it looks acceptable to not log the password in the changelogs ( (i.e. 'nsslapd-unhashed-pw-switch: nolog') . with winsync, where the unhashed password needs to be logged on all replicas (IIRC). It can be configured to log it ('nsslapd-unhashed-pw-switch: on') but the impact of the default behavior being 'off' needs evaluation. |
|
Comment from tbordaz (@tbordaz) at 2018-10-16 11:33:08 Metadata Update from @tbordaz:
|
|
Comment from tbordaz (@tbordaz) at 2018-10-16 11:34:41 Metadata Update from @tbordaz: |
|
Comment from firstyear (@Firstyear) at 2019-04-16 04:09:34 Why not default this to off for 389-ds, and then IPA can enable the setting back to on in it's install process ... Seems like a pretty easy change IMO. |
|
Comment from tbordaz (@tbordaz) at 2019-04-16 08:57:56 @Firstyear, you are right it is a pretty easy change but it needs to be sync with FreeIPA that rely on managing/logging unhashed password. It was pushed/backout because of this need to sync with freeipa. |
|
Comment from firstyear (@Firstyear) at 2019-04-16 09:19:51 Is there a freeipa pagure issue id so we can follow that here? Thanks for the information :) |
|
Comment from tbordaz (@tbordaz) at 2019-04-16 09:38:48 Sure, this is https://pagure.io/freeipa/issue/4812. |
|
Comment from firstyear (@Firstyear) at 2019-04-17 02:35:55 Great, thank you! |
|
Comment from tbordaz (@tbordaz) at 2019-05-28 17:51:48 https://pagure.io/freeipa/issue/4812 was pushed upstream. |
|
Comment from tbordaz (@tbordaz) at 2019-07-15 18:01:14 https://bugzilla.redhat.com/show_bug.cgi?id=1639644 --> ON_QA Fedora is still in POST (ON_QA for 8.1) so we are still waiting to push this fix upstream |
|
Comment from abbra at 2019-07-15 18:09:59 I closed fedora bug because everything was pushed already on July 3rd with FreeIPA 4.8.0. |
|
Comment from tbordaz (@tbordaz) at 2019-07-15 20:22:23 |
|
Comment from tbordaz (@tbordaz) at 2019-07-16 15:36:39 |
|
Comment from tbordaz (@tbordaz) at 2019-07-16 15:40:47 align milestone to release https://bugzilla.redhat.com/show_bug.cgi?id=1639644 -> 1.4.1 |
|
Comment from tbordaz (@tbordaz) at 2019-07-16 15:40:48 Metadata Update from @tbordaz:
|
|
Comment from tbordaz (@tbordaz) at 2019-07-16 15:56:28 Metadata Update from @tbordaz:
|
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49789
Issue Description
By default nsslapd-unhashed-pw-switch is set to 'on'. So a copy of the unhashed password is kept in modifiers and is possibly logged in changelog and retroCL.
Unless it is used by some plugin it does not require to keep unhash password
nsslapd-unhashed-pw-switch should be 'off' by default
Package Version and Platform
1.3.1 and later
Steps to reproduce
Actual results
contains unhashed#user#password (db file)
Expected results
should not contain if it is not required
The text was updated successfully, but these errors were encountered: