passwordHistory is not updated with a pre-hashed password #6092

jchapma · 2024-02-14T16:24:54Z

Issue Description
passwordHistory is not updated by with a pre-hashed password

Package Version and Platform:

Package and version: 389-ds-base-1.4.3.37-7.module+el8dsrv+20631+5a3df0a9.x86_64

Steps to Reproduce

Enable pwdhistory and nsslapd-allow-hashed-passwords

sudo dsconf -D cn=dm  -b "dc=example,dc=com" -w password inst01 pwpolicy set --pwdhistory on
sudo dsconf -D cn=dm  -b "dc=example,dc=com" -w password inst01 config replace nsslapd-allow-hashed-passwords=on

Create aci to allow users change their password

ldapmodify -x -D cn=dm -H ldap://localhost:389 -w password  << 'EOF'
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userpassword || passwordHistory")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)
EOF

Create hashed password

pwdhash -s PBKDF2_SHA256 supersecretpassword

Update a users password as regular user

ldapmodify -D uid=test_user,ou=people,dc=example,dc=com -H ldap://localhost:389 -w password << 'EOF'
dn: uid=jamie,ou=people,dc=example,dc=com
changetype: modify
replace: userpassword
userpassword: {PBKDF2_SHA256}AAAgADbVmRsA75ralHYSVQ9gE5ZrYifmIztk+8as2HHUPbbNP2kZtT+rXFHVUJ3d3X3uVezNoYQ88Hjj2IXqopu0trckhUg1tspv2+di0I1wGmytJGpLn+/t4GdtHp/FrI/vDZLMKxnc6PlJVkKdHZa3H1ny1dsMlo0gf4y9Mm3hPfM8Mfbf6QH2V/03gCFzjmhJB85xKJpidwGt5CMb0kQ33FtCgrZLKQBQB4K6sQa4WyRevwxZ1u0/FTSTuGjVWUIsP7QE602a9fJtBGW1dXhn92aUP8mRmx+RBOdik+mHvTwa+RTqc8S9PEy5KwCCn3dAJiIkso9EiwI2Mt+it391IxDD3ndK7H9LlwIMqVR3AgVBMKDdH6ibE1oDAsEd5X68fve5FcJtAQJ46dlltHaH3IdmfYqIP+U36UMbX15grifj
EOF

Display users password history

ldapsearch -D "cn=dm"  -H ldap://localhost:389 -w password -b "uid=jamie,ou=people,dc=example,dc=com" passwordHistory

Actual results
No password history for user

Expected results
Password change history for user

The text was updated successfully, but these errors were encountered:

Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected, both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to uddate the password history. Relates: 389ds#6092 Reviewed by:

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

@tbordaz

#6093) Bug description: passwordHistory is not updated by with a pre-hashed password Fix description: During a mod replace of the userpassword attribute, if an encoded password value is detected and both pw_history and allow_hashed_pw are enabled, get the present entry values which are used to update the password history. Relates: #6092 Reviewed by: @tbordaz (Thank you)

jchapma · 2024-04-05T16:41:45Z

ca37886..05ea982 389-ds-base-3.0 -> 389-ds-base-3.0
3f74a66..5c2fef2 389-ds-base-2.5 -> 389-ds-base-2.5
6586fbe..f08f008 389-ds-base-2.4 -> 389-ds-base-2.4
93d456d..04254a0 389-ds-base-2.3 -> 389-ds-base-2.3
8ec7279..9366edd 389-ds-base-2.2 -> 389-ds-base-2.2
c8407c1..e78e793 389-ds-base-2.1 -> 389-ds-base-2.1
0c496fe..635fdda 389-ds-base-2.0 -> 389-ds-base-2.0
eccd7a3..ab2e232 389-ds-base-1.4.4 -> 389-ds-base-1.4.4
afcae91..ce4a554 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

jchapma added the needs triage The issue will be triaged during scrum label Feb 14, 2024

jchapma mentioned this issue Feb 14, 2024

Issue 6092 - passwordHistory is not updated with a pre-hashed password #6093

Merged

vashirov closed this as completed Oct 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

passwordHistory is not updated with a pre-hashed password #6092

passwordHistory is not updated with a pre-hashed password #6092

jchapma commented Feb 14, 2024

jchapma commented Apr 5, 2024

passwordHistory is not updated with a pre-hashed password #6092

passwordHistory is not updated with a pre-hashed password #6092

Comments

jchapma commented Feb 14, 2024

jchapma commented Apr 5, 2024