[389-users] Re: userPassword changed to PBKDF2_SHA256 after bind

Fri, 29 Nov 2019 09:51:19 -0800 


On 11/29/19 10:27 AM, Francesc Guasch wrote:

Hello.

After upgrade to 389 release 1.4 I experienced an odd behaviour.

If I add a new user, then I bind with that user. The userPassword
attribute gets changed to {PBKDF2_SHA256}.

These are the steps I follow to reproduce it:

1- add a new entry with MD5 password, it is like this: {MD5}N7...
2- connect to LDAP and bind with the user just created
3- connect with admin and retrieve the password, it is {PBKDF2_SHA256}
This is the expected behavior.  We now automatically upgrade password storage schemes to PBKDF2 in 1.4.2 - which is the strongest hashing algorithm we offer.  MD5 is not considered secure anymore. You can disable this "hash upgrade" feature by setting: nsslapd-enable-upgrade-hash to "off" under cn=config 

I may have been doing something wrong but my code worked on previous
releases of 389-ds.

I extracted code from my project to build a full test on it. I uploaded
it to gist:

https://gist.github.com/frankiejol/9e099ba828c8cbdff361783c177643da

This is 1.4.1.6-4. So I have seen there is 1.4.2 release but
I haven't been able to build it. It gets stuck on make lib389

ModuleNotFoundError: No module named 'packaging'
make: *** [Makefile:14474: lib389] Error 1
Install "python3-packaging" which is a requirement in our specfile, but in master branch we should have changed things to now use python3-distro (instead of python3-packaging).  So I'm not sure how your are building the server, but I would suggest following this doc: 

http://www.port389.org/docs/389ds/development/building.html

HTH,

Mark



Anyway, it looks like a bug or maybe a configuration issue ?

thank you for your time
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Reply via email to