86 lines
3.9 KiB
Diff
86 lines
3.9 KiB
Diff
From 1a192048a49fcdfa8bcfe79e2fa86153b339fac1 Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Tue, 13 Dec 2022 17:00:28 -0500
|
|
Subject: [PATCH 2/2] Issue 5565 - Change default password storage scheme
|
|
|
|
Descriptrion: Becuase of replication we need to use a default storage scheme
|
|
that works on 389-ds-base-1.3.10
|
|
|
|
relates: https://github.com/389ds/389-ds-base/issues/5565
|
|
|
|
Reviewed by: spichugi & firstyear(thanks!!)
|
|
---
|
|
.../tests/suites/healthcheck/health_security_test.py | 8 ++++----
|
|
dirsrvtests/tests/suites/password/pwp_test.py | 2 +-
|
|
ldap/servers/slapd/pw.c | 3 ++-
|
|
src/lib389/lib389/config.py | 2 +-
|
|
4 files changed, 8 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
|
|
index 519107365..d14b52c7a 100644
|
|
--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py
|
|
+++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
|
|
@@ -1,5 +1,5 @@
|
|
# --- BEGIN COPYRIGHT BLOCK ---
|
|
-# Copyright (C) 2020 Red Hat, Inc.
|
|
+# Copyright (C) 2022 Red Hat, Inc.
|
|
# All rights reserved.
|
|
#
|
|
# License: GPL (version 3 or any later version).
|
|
@@ -113,9 +113,9 @@ def test_healthcheck_insecure_pwd_hash_configured(topology_st):
|
|
standalone.config.set('passwordStorageScheme', 'SSHA512')
|
|
standalone.config.set('nsslapd-rootpwstoragescheme', 'SSHA512')
|
|
else:
|
|
- log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2-SHA512')
|
|
- standalone.config.set('passwordStorageScheme', 'PBKDF2-SHA512')
|
|
- standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2-SHA512')
|
|
+ log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2_SHA256')
|
|
+ standalone.config.set('passwordStorageScheme', 'PBKDF2_SHA256')
|
|
+ standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2_SHA256')
|
|
|
|
run_healthcheck_and_flush_log(topology_st, standalone, json=False, searched_code=CMD_OUTPUT)
|
|
run_healthcheck_and_flush_log(topology_st, standalone, json=True, searched_code=JSON_OUTPUT)
|
|
diff --git a/dirsrvtests/tests/suites/password/pwp_test.py b/dirsrvtests/tests/suites/password/pwp_test.py
|
|
index ce45bc364..190881222 100644
|
|
--- a/dirsrvtests/tests/suites/password/pwp_test.py
|
|
+++ b/dirsrvtests/tests/suites/password/pwp_test.py
|
|
@@ -27,7 +27,7 @@ else:
|
|
if is_fips():
|
|
DEFAULT_PASSWORD_STORAGE_SCHEME = 'SSHA512'
|
|
else:
|
|
- DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2-SHA512'
|
|
+ DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2_SHA256'
|
|
|
|
|
|
def _create_user(topo, uid, cn, uidNumber, userpassword):
|
|
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
|
|
index 825498858..566ba87dd 100644
|
|
--- a/ldap/servers/slapd/pw.c
|
|
+++ b/ldap/servers/slapd/pw.c
|
|
@@ -280,7 +280,8 @@ pw_name2scheme(char *name)
|
|
} else {
|
|
/* if not, let's setup pbkdf2 */
|
|
#ifdef RUST_ENABLE
|
|
- char *pbkdf = "PBKDF2-SHA512";
|
|
+ /* until 1.3.10 supports Rust hashers we can't use PBKDF2-SHA512 by default */
|
|
+ char *pbkdf = "PBKDF2_SHA256";
|
|
#else
|
|
char *pbkdf = "PBKDF2_SHA256";
|
|
#endif
|
|
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
|
|
index c7abdf778..c178eb02f 100644
|
|
--- a/src/lib389/lib389/config.py
|
|
+++ b/src/lib389/lib389/config.py
|
|
@@ -209,7 +209,7 @@ class Config(DSLdapObject):
|
|
yield report
|
|
|
|
def _lint_passwordscheme(self):
|
|
- allowed_schemes = ['SSHA512', 'PBKDF2-SHA512', 'GOST_YESCRYPT']
|
|
+ allowed_schemes = ['SSHA512', 'PBKDF2_SHA256', 'GOST_YESCRYPT']
|
|
u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme')
|
|
u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme')
|
|
if u_root_scheme not in allowed_schemes or u_password_scheme not in allowed_schemes:
|
|
--
|
|
2.38.1
|
|
|