Issue 5356 - Make Rust non-optional and update default password storage

scheme

Description:

We need a stronger default storage scheme which comes from our Rust
plugins, but to do this  Rust needs to be non-optional.  It will be
a requirement moving forward.

relates: 389ds#5356

Reviewed by: firstyear, vashirov, and spichugi (Thanks!!!)

Makefile.am

@@ -56,9 +56,6 @@ SYSTEMTAP_DEFINES = @systemtap_defs@
 NSPR_INCLUDES = $(NSPR_CFLAGS)
 
 # Rust inclusions.
-if RUST_ENABLE
-# Rust enabled
-RUST_ON = 1
 CARGO_FLAGS = @cargo_defs@
 
 if CLANG_ENABLE
@@ -77,14 +74,6 @@ RUST_OFFLINE = --locked --offline
 else
 RUST_OFFLINE =
 endif
-else
-# Rust disabled
-RUST_ON = 0
-CARGO_FLAGS =
-RUSTC_FLAGS =
-RUST_LDFLAGS =
-RUST_DEFINES =
-endif
 
 if CLANG_ENABLE
 CLANG_ON = 1
@@ -250,13 +239,9 @@ SLAPD_LDFLAGS = -version-info 1:0:1
 #------------------------
 # Generated Sources
 #------------------------
-BUILT_SOURCES = dberrstrs.h \
+BUILT_SOURCES = dberrstrs.h rust-slapi-private.h rust-nsslapd-private.h \
 	$(POLICY_FC)
 
-if RUST_ENABLE
-BUILT_SOURCES += rust-slapi-private.h rust-nsslapd-private.h
-endif
-
 if enable_posix_winsync
 LIBPOSIX_WINSYNC_PLUGIN = libposix-winsync-plugin.la
 endif
@@ -270,20 +255,14 @@ CLEANFILES =  dberrstrs.h ns-slapd.properties \
 	ldap/ldif/template-ldapi.ldif ldap/ldif/template-locality.ldif ldap/ldif/template-org.ldif \
 	ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \
 	ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif \
-	doxyfile.stamp \
+	doxyfile.stamp rust-slapi-private.h\
 	$(NULL)
 
-if RUST_ENABLE
-CLEANFILES += rust-slapi-private.h
-endif
-
 clean-local:
 	-rm -rf dist
 	-rm -rf $(abs_top_builddir)/html
 	-rm -rf $(abs_top_builddir)/man/man3
-if RUST_ENABLE
 	-rm -rf $(abs_top_builddir)/rs
-endif
 
 dberrstrs.h: Makefile $(srcdir)/ldap/servers/slapd/mkDBErrStrs.py  $(srcdir)/ldap/servers/slapd/back-ldbm/dbimpl.h
 	$(srcdir)/ldap/servers/slapd/mkDBErrStrs.py -i $(srcdir)/ldap/servers/slapd/back-ldbm -o .
@@ -382,13 +361,8 @@ serverplugin_LTLIBRARIES = libacl-plugin.la \
 	libacctusability-plugin.la librootdn-access-plugin.la \
 	libwhoami-plugin.la $(LIBACCTPOLICY_PLUGIN) \
 	$(LIBPAM_PASSTHRU_PLUGIN) $(LIBDNA_PLUGIN) \
-	$(LIBBITWISE_PLUGIN) $(LIBPRESENCE_PLUGIN) $(LIBPOSIX_WINSYNC_PLUGIN)
-
-if RUST_ENABLE
-serverplugin_LTLIBRARIES += libentryuuid-plugin.la libentryuuid-syntax-plugin.la \
-	libpwdchan-plugin.la
-endif
-
+	$(LIBBITWISE_PLUGIN) $(LIBPRESENCE_PLUGIN) $(LIBPOSIX_WINSYNC_PLUGIN) \
+	libentryuuid-plugin.la libentryuuid-syntax-plugin.la libpwdchan-plugin.la
 
 noinst_LIBRARIES = libavl.a
 
@@ -683,12 +657,9 @@ systemschema_DATA = $(srcdir)/ldap/schema/00core.ldif \
 	$(srcdir)/ldap/schema/60sudo.ldif \
 	$(srcdir)/ldap/schema/60trust.ldif \
 	$(srcdir)/ldap/schema/60nss-ldap.ldif \
+	$(srcdir)/ldap/schema/03entryuuid.ldif \
 	$(LIBACCTPOLICY_SCHEMA)
 
-if RUST_ENABLE
-systemschema_DATA += $(srcdir)/ldap/schema/03entryuuid.ldif
-endif
-
 schema_DATA = $(srcdir)/ldap/schema/99user.ldif
 
 libexec_SCRIPTS =
@@ -846,8 +817,6 @@ libsvrcore_la_LDFLAGS = $(AM_LDFLAGS)
 libsvrcore_la_CPPFLAGS = $(AM_CPPFLAGS) $(SVRCORE_INCLUDES) $(DSPLUGIN_CPPFLAGS)
 libsvrcore_la_LIBADD = $(NSS_LINK) $(NSPR_LINK)
 
-if RUST_ENABLE
-
 noinst_LTLIBRARIES = librslapd.la librnsslapd.la libentryuuid.la libentryuuid_syntax.la \
 	libpwdchan.la
 
@@ -1034,9 +1003,6 @@ check-local:
 endif
 endif
 
-# End if RUST_ENABLE
-endif
-
 #------------------------
 # libns-dshttpd
 #------------------------
@@ -1200,7 +1166,7 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \
 	$(libavl_a_SOURCES)
 
 libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS) $(DB_INC) $(KERBEROS_CFLAGS) $(PCRE_CFLAGS) $(SVRCORE_INCLUDES)
-libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LIBS) $(PCRE_LIBS) $(THREADLIB) $(SYSTEMD_LIBS) libsvrcore.la
+libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LIBS) $(PCRE_LIBS) $(THREADLIB) $(SYSTEMD_LIBS) libsvrcore.la $(RSLAPD_LIB)
 # If asan is enabled, it creates special libcrypt interceptors. However, they are
 # detected by the first load of libasan at runtime, and what is in the linked lib
 # so we need libcrypt to be present as soon as libasan is loaded for the interceptors
@@ -1209,14 +1175,7 @@ libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(KER
 if enable_asan
 libslapd_la_LIBADD += $(LIBCRYPT)
 endif
-libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS)
-
-if RUST_ENABLE
-libslapd_la_LIBADD += $(RSLAPD_LIB)
-libslapd_la_LDFLAGS += -lssl -lcrypto
-endif
-
-
+libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS) -lssl -lcrypto
 
 #////////////////////////////////////////////////////////////////
 #
@@ -1481,7 +1440,6 @@ libderef_plugin_la_LIBADD = libslapd.la $(LDAPSDK_LINK) $(NSPR_LINK)
 libderef_plugin_la_DEPENDENCIES = libslapd.la
 libderef_plugin_la_LDFLAGS = -avoid-version
 
-if RUST_ENABLE
 #------------------------
 # libentryuuid-syntax-plugin
 #-----------------------
@@ -1505,7 +1463,6 @@ libpwdchan_plugin_la_SOURCES = src/slapi_r_plugin/src/init.c
 libpwdchan_plugin_la_LIBADD = libslapd.la $(LDAPSDK_LINK) $(NSPR_LINK) -lpwdchan
 libpwdchan_plugin_la_DEPENDENCIES = libslapd.la $(PWDCHAN_LIB)
 libpwdchan_plugin_la_LDFLAGS = -avoid-version
-endif
 
 #------------------------
 # libpbe-plugin
@@ -1910,23 +1867,13 @@ ns_slapd_SOURCES = ldap/servers/slapd/abandon.c \
 
 ns_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS) $(SVRCORE_INCLUDES) $(CFI_CFLAGS)
 # We need our libraries to come first, then our externals libraries second.
-ns_slapd_LDADD = libslapd.la libldaputil.la libsvrcore.la
-if RUST_ENABLE
-ns_slapd_LDADD += $(RNSSLAPD_LIB)
-endif
-ns_slapd_LDADD += $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \
+ns_slapd_LDADD = libslapd.la libldaputil.la libsvrcore.la $(RNSSLAPD_LIB)
+
+ns_slapd_LDADD += $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) -lssl -lcrypto \
        $(NSPR_LINK) $(SASL_LINK) $(LIBNSL) $(LIBSOCKET) $(THREADLIB) $(SYSTEMD_LIBS) $(EVENT_LINK)
-if RUST_ENABLE
-ns_slapd_LDADD += -lssl -lcrypto
-endif
+
 ns_slapd_DEPENDENCIES = libslapd.la libldaputil.la
-# We need to link ns-slapd with the C++ compiler on HP-UX since we load
-# some C++ shared libraries (such as icu).
-if HPUX
-ns_slapd_LINK = $(CXXLINK)
-else
 ns_slapd_LINK = $(LINK)
-endif
 
 
 #------------------------
@@ -2023,7 +1970,6 @@ fixupcmd = sed \
 	-e 's,@enable_tsan\@,$(TSAN_ON),g' \
 	-e 's,@enable_ubsan\@,$(UBSAN_ON),g' \
 	-e 's,@SANITIZER\@,$(SANITIZER),g' \
-	-e 's,@enable_rust\@,@enable_rust@,g' \
 	-e 's,@ECHO_N\@,$(ECHO_N),g' \
 	-e 's,@ECHO_C\@,$(ECHO_C),g' \
 	-e 's,@brand\@,$(brand),g' \

configure.ac

@@ -95,12 +95,7 @@ AS_IF([test "$enable_rust_offline" = yes],
     [rust_vendor_sources="replace-with = \"vendored-sources\""],
     [rust_vendor_sources=""])
 AC_SUBST([rust_vendor_sources])
-
-AC_MSG_CHECKING(for --enable-rust)
-AC_ARG_ENABLE(rust, AS_HELP_STRING([--enable-rust], [Enable rust language features (default: no)]),
-              [], [ enable_rust=no ])
-AC_MSG_RESULT($enable_rust)
-if test "$enable_rust" = yes -o "$enable_rust_offline" = yes; then
+if test "$enable_rust_offline" = yes; then
     AC_CHECK_PROG(CARGO, [cargo], [yes], [no])
     AC_CHECK_PROG(RUSTC, [rustc], [yes], [no])
     # Since fernet uses the openssl lib.
@@ -110,8 +105,6 @@ if test "$enable_rust" = yes -o "$enable_rust_offline" = yes; then
       AC_MSG_FAILURE("Rust based plugins cannot be built cargo=$CARGO rustc=$RUSTC")
     ])
 fi
-AC_SUBST([enable_rust])
-AM_CONDITIONAL([RUST_ENABLE],[test "$enable_rust" = yes -o "$enable_rust_offline" = yes])
 
 # Optional cockpit support (enabled by default)
 AC_MSG_CHECKING(for --enable-cockpit)

dirsrvtests/tests/suites/healthcheck/health_security_test.py

@@ -78,7 +78,7 @@ def test_healthcheck_insecure_pwd_hash_configured(topology_st):
         2. Configure an insecure passwordStorageScheme (as SHA) for the instance
         3. Use HealthCheck without --json option
         4. Use HealthCheck with --json option
-        5. Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2_SHA256
+        5. Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2_SHA512
         6. Use HealthCheck without --json option
         7. Use HealthCheck with --json option
     :expectedresults:
@@ -106,9 +106,9 @@ def test_healthcheck_insecure_pwd_hash_configured(topology_st):
         standalone.config.set('passwordStorageScheme', 'SSHA512')
         standalone.config.set('nsslapd-rootpwstoragescheme', 'SSHA512')
     else:
-        log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2_SHA256')
-        standalone.config.set('passwordStorageScheme', 'PBKDF2_SHA256')
-        standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2_SHA256')
+        log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2-SHA512')
+        standalone.config.set('passwordStorageScheme', 'PBKDF2-SHA512')
+        standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2-SHA512')
 
     run_healthcheck_and_flush_log(topology_st, standalone, json=False, searched_code=CMD_OUTPUT)
     run_healthcheck_and_flush_log(topology_st, standalone, json=True, searched_code=JSON_OUTPUT)

dirsrvtests/tests/suites/password/pwp_test.py

@@ -27,7 +27,7 @@
     if is_fips():
         DEFAULT_PASSWORD_STORAGE_SCHEME = 'SSHA512'
     else:
-        DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2_SHA256'
+        DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2-SHA512'
 
 
 def _create_user(topo, uid, cn, uidNumber, userpassword):

ldap/servers/slapd/config.c

@@ -40,16 +40,15 @@ char *rel2abspath(char *);
  * see fedse.c instead!
  */
 static char *bootstrap_plugins[] = {
-    "dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config\n"
+    "dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config\n"
     "objectclass: top\n"
     "objectclass: nsSlapdPlugin\n"
-    "cn: PBKDF2_SHA256\n"
-    "nsslapd-pluginpath: libpwdstorage-plugin\n"
-    "nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init\n"
+    "cn: PBKDF2-SHA512\n"
+    "nsslapd-pluginpath: libpwdchan-plugin\n"
+    "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init\n"
     "nsslapd-plugintype: pwdstoragescheme\n"
-    "nsslapd-pluginenabled: on",
+    "nsslapd-pluginenabled: on\n",
 
-#ifdef RUST_ENABLE
     "dn: cn=entryuuid_syntax,cn=plugins,cn=config\n"
     "objectclass: top\n"
     "objectclass: nsSlapdPlugin\n"
@@ -62,7 +61,6 @@ static char *bootstrap_plugins[] = {
     "nsslapd-pluginVersion: none\n"
     "nsslapd-pluginVendor: 389 Project\n"
     "nsslapd-pluginDescription: entryuuid_syntax\n",
-#endif
 
     NULL
 };