> On 30 Nov 2019, at 03:50, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote:
>
>
> On 11/29/19 10:27 AM, Francesc Guasch wrote:
>> Hello.
>>
>> After upgrade to 389 release 1.4 I experienced an odd behaviour.
>>
>> If I add a new user, then I bind with that user. The userPassword
>> attribute gets changed to {PBKDF2_SHA256}.
>>
>> These are the steps I follow to reproduce it:
>>
>> 1- add a new entry with MD5 password, it is like this: {MD5}N7...
>> 2- connect to LDAP and bind with the user just created
>> 3- connect with admin and retrieve the password, it is {PBKDF2_SHA256}
> This is the expected behavior. We now automatically upgrade password storage schemes to PBKDF2 in 1.4.2 - which is the strongest hashing algorithm we offer. MD5 is not considered secure anymore. You can disable this "hash upgrade" feature by setting: nsslapd-enable-upgrade-hash to "off" under cn=config
To echo what Mark has said here, MD5 today should be considered as equivalent to "cleartext" storage. Generally any storage scheme less than SSHA512 should not be used for a variety of security and compliance reasons.
If you are using MD5 for one of the SASL MD5 mechanisms, these are also considered insecure, and you should opt for LDAPS (TLS) with simple bind or SASL-PLAIN instead.
>>
>> I may have been doing something wrong but my code worked on previous
>> releases of 389-ds.
>>
>> I extracted code from my project to build a full test on it. I uploaded
>> it to gist:
>>
>> https://gist.github.com/frankiejol/9e099ba828c8cbdff361783c177643da
>>
>> This is 1.4.1.6-4. So I have seen there is 1.4.2 release but
>> I haven't been able to build it. It gets stuck on make lib389
>>
>> ModuleNotFoundError: No module named 'packaging'
>> make: *** [Makefile:14474: lib389] Error 1
>
> Install "python3-packaging" which is a requirement in our specfile, but in master branch we should have changed things to now use python3-distro (instead of python3-packaging). So I'm not sure how your are building the server, but I would suggest following this doc:
>
> http://www.port389.org/docs/389ds/development/building.html
>
> HTH,
>
> Mark
>
>
>> Anyway, it looks like a bug or maybe a configuration issue ?
>>
>> thank you for your time
>> _______________________________________________
>> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> --
>
> 389 Directory Server Development Team
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
