[389-ds-base] branch master updated: Ticket 49789 - By default, do not manage unhashed password
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 104be99 Ticket 49789 - By default, do not manage unhashed password
104be99 is described below
commit 104be9958cdc245ebb44912d3eadeec2b97731b8
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Fri Jul 13 17:55:27 2018 +0200
Ticket 49789 - By default, do not manage unhashed password
Bug Description:
By default, unhashed#user#password is recorded into changelog database.
It is a specific use when some plugin need to know the clear text password on update.
This should be disabled ('off') by default
Fix Description:
Switch the default value from 'on' to 'off'
https://pagure.io/389-ds-base/issue/49789
Reviewed by: Viktor Ashirov, Simon Pichugi, Mark Reynolds
Platforms tested: F28
Flag Day: no
Doc impact: no
---
.../tests/suites/password/regression_test.py | 121 ++++++++++++++++++++-
ldap/servers/slapd/slap.h | 4 +-
2 files changed, 122 insertions(+), 3 deletions(-)
diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
index b01b73e..c239799 100644
--- a/dirsrvtests/tests/suites/password/regression_test.py
+++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -8,8 +8,11 @@
import pytest
import time
from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
+from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB
+from lib389 import Entry
+from lib389.topologies import topology_m1 as topo_master
from lib389.idm.user import UserAccounts
-from lib389.utils import ldap, os, logging
+from lib389.utils import ldap, os, logging, ensure_bytes
from lib389.topologies import topology_st as topo
from lib389.idm.organizationalunit import OrganizationalUnits
@@ -36,6 +39,23 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
TEST_PASSWORDS2 = (
'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12(a)redhat.com', '2GN1pwtest123', 'People123')
+def _check_unhashed_userpw(inst, user_dn, is_present=False):
+ """Check if unhashed#user#password attribute is present of not in the changelog"""
+ unhashed_pwd_attribute = 'unhashed#user#password'
+
+ changelog_dbdir = os.path.join(os.path.dirname(inst.dbdir), DEFAULT_CHANGELOG_DB)
+ for dbfile in os.listdir(changelog_dbdir):
+ if dbfile.endswith('.db'):
+ changelog_dbfile = os.path.join(changelog_dbdir, dbfile)
+ log.info('Changelog dbfile file exist: {}'.format(changelog_dbfile))
+ log.info('Running dbscan -f to check {} attr'.format(unhashed_pwd_attribute))
+ dbscanOut = inst.dbscan(DEFAULT_CHANGELOG_DB, changelog_dbfile)
+ for entry in dbscanOut.split(b'dbid: '):
+ if ensure_bytes('operation: modify') in entry and ensure_bytes(user_dn) in entry and ensure_bytes('userPassword') in entry:
+ if is_present:
+ assert ensure_bytes(unhashed_pwd_attribute) in entry
+ else:
+ assert ensure_bytes(unhashed_pwd_attribute) not in entry
@pytest.fixture(scope="module")
def passw_policy(topo, request):
@@ -193,6 +213,105 @@ def test_global_vs_local(topo, passw_policy, create_user, user_pasw):
# reset password
create_user.set('userPassword', PASSWORD)
+(a)pytest.mark.ds49789
+def test_unhashed_pw_switch(topo_master):
+ """Check that nsslapd-unhashed-pw-switch works corrently
+
+ :id: e5aba180-d174-424d-92b0-14fe7bb0b92a
+ :setup: Master Instance
+ :steps:
+ 1. A Master is created, enable retrocl (not used here)
+ 2. create a set of users
+ 3. update userpassword of user1 and check that unhashed#user#password is not logged (default)
+ 4. udpate userpassword of user2 and check that unhashed#user#password is not logged ('nolog')
+ 5. udpate userpassword of user3 and check that unhashed#user#password is logged ('on')
+ :expectedresults:
+ 1. Success
+ 2. Success
+ 3 Success (unhashed#user#password is not logged in the replication changelog)
+ 4. Success (unhashed#user#password is not logged in the replication changelog)
+ 5. Success (unhashed#user#password is logged in the replication changelog)
+ """
+ MAX_USERS = 10
+ PEOPLE_DN = ("ou=people," + DEFAULT_SUFFIX)
+
+ inst = topo_master.ms["master1"]
+ inst.modify_s("cn=Retro Changelog Plugin,cn=plugins,cn=config",
+ [(ldap.MOD_REPLACE, 'nsslapd-changelogmaxage', b'2m'),
+ (ldap.MOD_REPLACE, 'nsslapd-changelog-trim-interval', b"5s"),
+ (ldap.MOD_REPLACE, 'nsslapd-logAccess', b'on')])
+ inst.config.loglevel(vals=[256 + 4], service='access')
+ inst.restart()
+ # If you need any test suite initialization,
+ # please, write additional fixture for that (including finalizer).
+ # Topology for suites are predefined in lib389/topologies.py.
+
+ # enable dynamic plugins, memberof and retro cl plugin
+ #
+ log.info('Enable plugins...')
+ try:
+ inst.modify_s(DN_CONFIG,
+ [(ldap.MOD_REPLACE,
+ 'nsslapd-dynamic-plugins',
+ b'on')])
+ except ldap.LDAPError as e:
+ ldap.error('Failed to enable dynamic plugins! ' + e.message['desc'])
+ assert False
+
+ #topology_st.standalone.plugins.enable(name=PLUGIN_MEMBER_OF)
+ inst.plugins.enable(name=PLUGIN_RETRO_CHANGELOG)
+ #topology_st.standalone.modify_s("cn=changelog,cn=ldbm database,cn=plugins,cn=config", [(ldap.MOD_REPLACE, 'nsslapd-cachememsize', str(100000))])
+ inst.restart()
+
+ log.info('create users and group...')
+ for idx in range(1, MAX_USERS):
+ try:
+ USER_DN = ("uid=member%d,%s" % (idx, PEOPLE_DN))
+ inst.add_s(Entry((USER_DN,
+ {'objectclass': 'top extensibleObject'.split(),
+ 'uid': 'member%d' % (idx)})))
+ except ldap.LDAPError as e:
+ log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc']))
+ assert False
+
+ # Check default is that unhashed#user#password is not logged
+ user = "uid=member1,%s" % (PEOPLE_DN)
+ inst.modify_s(user, [(ldap.MOD_REPLACE,
+ 'userpassword',
+ PASSWORD.encode())])
+ inst.stop()
+ _check_unhashed_userpw(inst, user, is_present=False)
+
+ # Check with nolog that unhashed#user#password is not logged
+ inst.modify_s(DN_CONFIG,
+ [(ldap.MOD_REPLACE,
+ 'nsslapd-unhashed-pw-switch',
+ b'nolog')])
+ inst.restart()
+ user = "uid=member2,%s" % (PEOPLE_DN)
+ inst.modify_s(user, [(ldap.MOD_REPLACE,
+ 'userpassword',
+ PASSWORD.encode())])
+ inst.stop()
+ _check_unhashed_userpw(inst, user, is_present=False)
+
+ # Check with value 'on' that unhashed#user#password is logged
+ inst.modify_s(DN_CONFIG,
+ [(ldap.MOD_REPLACE,
+ 'nsslapd-unhashed-pw-switch',
+ b'on')])
+ inst.restart()
+ user = "uid=member3,%s" % (PEOPLE_DN)
+ inst.modify_s(user, [(ldap.MOD_REPLACE,
+ 'userpassword',
+ PASSWORD.encode())])
+ inst.stop()
+ _check_unhashed_userpw(inst, user, is_present=True)
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
if __name__ == '__main__':
# Run isolated
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 7f3a056..0c8d662 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -295,8 +295,8 @@ typedef void (*VFPV)(); /* takes undefined arguments */
#define SLAPD_DEFAULT_VALIDATE_CERT SLAPD_VALIDATE_CERT_WARN
#define SLAPD_DEFAULT_VALIDATE_CERT_STR "warn"
-#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH SLAPD_UNHASHED_PW_ON
-#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR "on"
+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH SLAPD_UNHASHED_PW_OFF
+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR "off"
#define SLAPD_DEFAULT_LDAPI_SEARCH_BASE "dc=example,dc=com"
#define SLAPD_DEFAULT_LDAPI_AUTO_DN "cn=peercred,cn=external,cn=auth"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 8 months
[389-ds-base] 01/02: Bump version to 1.4.0.25
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
commit 24d4095f5c7d4f1fd6e2ee9536c258a9e6e2a906
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon Jul 8 15:57:01 2019 -0400
Bump version to 1.4.0.25
---
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION.sh b/VERSION.sh
index d27e4d7..3bebfc8 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=4
-VERSION_MAINT=0.24
+VERSION_MAINT=0.25
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 8 months
[389-ds-base] branch master updated: Bump version to 1.4.1.5
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 7483341 Bump version to 1.4.1.5
7483341 is described below
commit 7483341432b1a7c3d8448ff3b3e01b09d0540bc7
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon Jul 8 15:23:01 2019 -0400
Bump version to 1.4.1.5
---
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION.sh b/VERSION.sh
index 48b99bd..e9e12a2 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=4
-VERSION_MAINT=1.4
+VERSION_MAINT=1.5
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 8 months
[389-ds-base] branch 389-ds-base-1.4.0 updated: Issue 50431 - Fix regression from coverity fix
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new e8f7c75 Issue 50431 - Fix regression from coverity fix
e8f7c75 is described below
commit e8f7c7551934ac89cc7ee05ae10d62c78bf84d9b
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon Jul 8 14:00:28 2019 -0400
Issue 50431 - Fix regression from coverity fix
Description: Fix a regression from the initial coverity commit that
caused the memebrOf groupattrs to become corrupted and
crash the server.
https://pagure.io/389-ds-base/issue/50431
Reviewed by: vashirov(Thanks!)
---
ldap/servers/plugins/memberof/memberof_config.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c
index 124217e..6729c3a 100644
--- a/ldap/servers/plugins/memberof/memberof_config.c
+++ b/ldap/servers/plugins/memberof/memberof_config.c
@@ -550,8 +550,9 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)),
}
/* Build the new list */
- for (i = 0; theConfig.group_slapiattrs && theConfig.group_slapiattrs[i] &&
- theConfig.groupattrs && theConfig.groupattrs[i]; i++)
+ for (i = 0; theConfig.group_slapiattrs &&
+ theConfig.groupattrs &&
+ theConfig.groupattrs[i]; i++)
{
theConfig.group_slapiattrs[i] = slapi_attr_new();
slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]);
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 8 months
[389-ds-base] branch master updated: Issue 50431 - Fix regression from coverity fix
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new fdf59ee Issue 50431 - Fix regression from coverity fix
fdf59ee is described below
commit fdf59ee0545efb7de91266bb3ba6e90270286865
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon Jul 8 14:00:28 2019 -0400
Issue 50431 - Fix regression from coverity fix
Description: Fix a regression from the initial coverity commit that
caused the memebrOf groupattrs to become corrupted and
crash the server.
https://pagure.io/389-ds-base/issue/50431
Reviewed by: vashirov(Thanks!)
---
ldap/servers/plugins/memberof/memberof_config.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c
index 124217e..6729c3a 100644
--- a/ldap/servers/plugins/memberof/memberof_config.c
+++ b/ldap/servers/plugins/memberof/memberof_config.c
@@ -550,8 +550,9 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)),
}
/* Build the new list */
- for (i = 0; theConfig.group_slapiattrs && theConfig.group_slapiattrs[i] &&
- theConfig.groupattrs && theConfig.groupattrs[i]; i++)
+ for (i = 0; theConfig.group_slapiattrs &&
+ theConfig.groupattrs &&
+ theConfig.groupattrs[i]; i++)
{
theConfig.group_slapiattrs[i] = slapi_attr_new();
slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]);
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 8 months