Re: userPassword changed to PBKDF2_SHA256 after bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 11/29/19 10:27 AM, Francesc Guasch wrote:

Hello.

After upgrade to 389 release 1.4 I experienced an odd behaviour.

If I add a new user, then I bind with that user. The userPassword
attribute gets changed to {PBKDF2_SHA256}.

These are the steps I follow to reproduce it:

1- add a new entry with MD5 password, it is like this: {MD5}N7...
2- connect to LDAP and bind with the user just created
3- connect with admin and retrieve the password, it is {PBKDF2_SHA256}
This is the expected behavior.  We now automatically upgrade password storage schemes to PBKDF2 in 1.4.2 - which is the strongest hashing algorithm we offer.  MD5 is not considered secure anymore. You can disable this "hash upgrade" feature by setting: nsslapd-enable-upgrade-hash to "off" under cn=config 

I may have been doing something wrong but my code worked on previous
releases of 389-ds.

I extracted code from my project to build a full test on it. I uploaded
it to gist:

https://gist.github.com/frankiejol/9e099ba828c8cbdff361783c177643da

This is 1.4.1.6-4. So I have seen there is 1.4.2 release but
I haven't been able to build it. It gets stuck on make lib389

ModuleNotFoundError: No module named 'packaging'
make: *** [Makefile:14474: lib389] Error 1
Install "python3-packaging" which is a requirement in our specfile, but in master branch we should have changed things to now use python3-distro (instead of python3-packaging).  So I'm not sure how your are building the server, but I would suggest following this doc: 

http://www.port389.org/docs/389ds/development/building.html

HTH,

Mark



Anyway, it looks like a bug or maybe a configuration issue ?

thank you for your time
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx


--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux