72 lines
3.3 KiB
Diff
72 lines
3.3 KiB
Diff
From dc4130da52cae8aea54c0a664429550344ec94b4 Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Wed, 5 Jul 2023 13:52:50 -0400
|
|
Subject: [PATCH] Issue 5825 - healthcheck - password storage scheme warning
|
|
needs more info
|
|
|
|
Description: Add the current/insecure scheme to the report, and state which
|
|
config setting is insecure.
|
|
|
|
relates: https://github.com/389ds/389-ds-base/issues/5825
|
|
|
|
Reviewed by: jchapman & spichugi(Thanks!!)
|
|
---
|
|
src/lib389/lib389/config.py | 13 ++++++++++++-
|
|
src/lib389/lib389/lint.py | 10 +++-------
|
|
2 files changed, 15 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
|
|
index b1a474ebed..81bf8ec667 100644
|
|
--- a/src/lib389/lib389/config.py
|
|
+++ b/src/lib389/lib389/config.py
|
|
@@ -214,9 +214,20 @@ def _lint_passwordscheme(self):
|
|
allowed_schemes = ['PBKDF2-SHA512', 'PBKDF2_SHA256', 'PBKDF2_SHA512', 'GOST_YESCRYPT']
|
|
u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme')
|
|
u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme')
|
|
- if u_root_scheme not in allowed_schemes or u_password_scheme not in allowed_schemes:
|
|
+ if u_root_scheme not in allowed_schemes:
|
|
report = copy.deepcopy(DSCLE0002)
|
|
+ report['detail'] = report['detail'].replace('SCHEME', u_root_scheme)
|
|
+ report['detail'] = report['detail'].replace('CONFIG', 'nsslapd-rootpwstoragescheme')
|
|
report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
|
|
+ report['fix'] = report['fix'].replace('CONFIG', 'nsslapd-rootpwstoragescheme')
|
|
+ report['check'] = "config:passwordscheme"
|
|
+ yield report
|
|
+ if u_password_scheme not in allowed_schemes:
|
|
+ report = copy.deepcopy(DSCLE0002)
|
|
+ report['detail'] = report['detail'].replace('SCHEME', u_password_scheme)
|
|
+ report['detail'] = report['detail'].replace('CONFIG', 'passwordStorageScheme')
|
|
+ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
|
|
+ report['fix'] = report['fix'].replace('CONFIG', 'passwordStorageScheme')
|
|
report['check'] = "config:passwordscheme"
|
|
yield report
|
|
|
|
diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py
|
|
index 7ca524315d..475ab08bd2 100644
|
|
--- a/src/lib389/lib389/lint.py
|
|
+++ b/src/lib389/lib389/lint.py
|
|
@@ -97,20 +97,16 @@
|
|
In Directory Server, we offer one hash suitable for this (PBKDF2-SHA512) and one hash
|
|
for "legacy" support (SSHA512).
|
|
|
|
-Your configuration does not use these for password storage or the root password storage
|
|
-scheme.
|
|
+Your configured scheme (SCHEME) for 'CONFIG' is not secure
|
|
""",
|
|
'fix': """Perform a configuration reset of the values:
|
|
|
|
-passwordStorageScheme
|
|
-nsslapd-rootpwstoragescheme
|
|
-
|
|
-IE, stop Directory Server, and in dse.ldif delete these two lines. When Directory Server
|
|
+IE, stop Directory Server, and in dse.ldif delete this line (CONFIG). When Directory Server
|
|
is started, they will use the server provided defaults that are secure.
|
|
|
|
You can also use 'dsconf' to replace these values. Here is an example:
|
|
|
|
- # dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=PBKDF2-SHA512 nsslapd-rootpwstoragescheme=PBKDF2-SHA512"""
|
|
+ # dsconf slapd-YOUR_INSTANCE config replace CONFIG=PBKDF2-SHA512"""
|
|
}
|
|
|
|
DSCLE0003 = {
|