From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Friday, September 3, 2021 9:49 AM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Michael Starling <mlstarling31@xxxxxxxxxxx>
Subject: Re: [389-users] update_pw_encoding messages
On 9/3/21 9:43 AM, Michael Starling wrote:
I see these errors in my logs for some accounts on my consumers with chaining enabled.
- WARN - update_pw_encoding - Could not read password attribute on 'uid=someuser,ou=people,dc=domain,dc=lott'
This means the user does not have a userpassword attribute in its entry. Can you confirm, on the consumer, if that entry has this attribute?
Hi Mark.
Yes, the attribute and storage scheme is the same on all masters/consumers and hubs.
I only started to see this after enabling chaining of password policy attributes.
Are these spurious messages or something that needs to be addressed?
I came across this:
upgrade-hash is set to "on" on all servers.
What is this code doing?
It's checking if you are using an outdated password storage scheme, and if it is then it re-encodes the password in a more secure algorithm.
Mark
int32_t update_pw_encoding(Slapi_PBlock *orig_pb, Slapi_Entry *e, Slapi_DN *sdn, char *cleartextpassword) {
char *dn = (char *)slapi_sdn_get_ndn(sdn);
Slapi_Attr *pw = NULL;
Slapi_Value **password_values = NULL;
passwdPolicy *pwpolicy = NULL;
struct pw_scheme *curpwsp = NULL;
Slapi_Mods smods;
char *hashed_val = NULL;
Slapi_PBlock *pb = NULL;
int32_t res = 0;
slapi_mods_init(&smods, 0);
/*
* Does the entry have a pw?
*/
if (e == NULL || slapi_entry_attr_find(e, SLAPI_USERPWD_ATTR, &pw) != 0 || pw == NULL) {
slapi_log_err(SLAPI_LOG_WARNING,
"update_pw_encoding", "Could not read password attribute on '%s'\n",
dn);
res = -1;
goto free_and_return;
}
Mike
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
|
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure