https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893 Resolves: bug 207893Bug Description: Adding a pre-hashed password to DS when using Windows Password Syncronization will trigger a loop condition of password updates. The DS will send the hashed password to AD, which thinks it's clear-text. AD stores the password, attempts to bind to DS using the hash (which of course fails), so it
sends the hashed password back to DS. This goes round and round. Reviewed by: ??? Files: see diff Branch: HEADFix Description: This fix first checks if there is a password storage scheme at the beginning of the userpassword attribute value before syncing it. If there is a storage scheme present, a message is logged at the replication logging level that this hashed password is being skipped instead of just trying to sync it.
If someone adds a password with the clear prefix on it to DS (such as"{clear}secret"), we will detect that and strip off the "{clear}" prefix before sending it to AD. All other passwords that start with the "{" character and contain the "}" character somewhere else in the password will be considered to
be already hashed. Platforms tested: FC6 & Windows 2003 Server Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=172462&action=diff
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
