I'm trying to change our Password Storage Scheme to PBKDF2_SHA256 using the 389 Console, but the scheme is not present in the list.
When using ldapsearch in "cn=Password Storage Schemes,cn=plugins,cn=config" this is the result: dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
This are the versions of the packages that I have installed: # yum list installed | grep 389 389-admin.x86_64 1.1.46-1.el7 @epel 389-admin-console.noarch 1.1.12-1.el7 @epel 389-adminutil.x86_64 1.1.21-2.el7 @epel 389-ds-base.x86_64 1.3.7.5-19.el7_5 @rhel_server7 389-ds-base-libs.x86_64 1.3.7.5-19.el7_5 @rhel_server7 389-ds-base-snmp.x86_64 1.3.7.5-19.el7_5 @rhel_server7 389-ds-console.noarch 1.2.16-1.el7 @epel
Do I have to do something to enable/install the PBKDF2_SHA256 password storage scheme?
Hi,
On 09.05.2018 14:15, murmansk@hotmail.com wrote:
I'm trying to change our Password Storage Scheme to PBKDF2_SHA256 using the 389 Console, but the scheme is not present in the list.
When using ldapsearch in "cn=Password Storage Schemes,cn=plugins,cn=config" this is the result: dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
I could reproduce this on one of my test VMs, but not on the other. Then I started investigating with our QE (thanks Viktor).
The problem is that the upgrade script doesn't enable the plug-in if the instance was installed using 1.3.5 or earlier.
I filed a bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1576485
If the instance was installed using a later version, the plug-in was automatically enabled during the installation.
Regards, Marc
On 09.05.2018 17:21, Marc Muehlfeld wrote:
The problem is that the upgrade script doesn't enable the plug-in if the instance was installed using 1.3.5 or earlier.
I filed a bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1576485
Mark fixed this upstream: https://pagure.io/389-ds-base/issue/49665
To manually add the missing entry:
# ldapadd -D "cn=Directory Manager" -W -x dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin cn: PBKDF2_SHA256 nsslapd-pluginPath: libpwdstorage-plugin nsslapd-pluginInitfunc: pbkdf2_sha256_pwd_storage_scheme_init nsslapd-pluginType: pwdstoragescheme nsslapd-pluginEnabled: on nsslapd-pluginDescription: Salted PBKDF2 SHA256 hash algorithm (PBKDF2_SHA256) nsslapd-pluginVersion: 1.3.7.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginId: pbkdf2-sha256-password-storage-scheme
adding new entry "cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config"
After a restart of the instance, you can use the password storage scheme:
# ldapmodify -D "cn=Directory Manager" -W -x dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: PBKDF2_SHA256
modifying entry "cn=config"
Regards, Marc
On Wed, 2018-05-09 at 12:15 +0000, murmansk@hotmail.com wrote:
I'm trying to change our Password Storage Scheme to PBKDF2_SHA256 using the 389 Console, but the scheme is not present in the list.
PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS crypto provider. At start up it will drop and error in your logs like "crypto provider not available" or something.
It's only available in 1.4.x. on fedora today, and will be supported in a "future version" for EL.
The plugin "exists" in 1.3.x because that's where I developed it (against fedora) at the time, but due to a mistake on my part, I allowed it to be configured and built on EL7. For that I apologise.
Today, sadly this does mean the strongest hash type is SSHA512 still, but 1.4.x will upgrade this. Please also note that the "config upgrade" mechanism will come into play in 1.3.6 and higher, so if you "omit" password-scheme in cn=config your server will always upgrade to the strongest password hash type available when you yum upgrade - long term this may be better for you as other mechs are added.
Thanks,
When using ldapsearch in "cn=Password Storage Schemes,cn=plugins,cn=config" this is the result: dn: cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config
This are the versions of the packages that I have installed: # yum list installed | grep 389 389-admin.x86_64 1.1.46-1.el7 @epel 389-admin-console.noarch 1.1.12-1.el7 @epel 389-adminutil.x86_64 1.1.21-2.el7 @epel 389-ds-base.x86_64 1.3.7.5- 19.el7_5 @rhel_server7 389-ds-base-libs.x86_64 1.3.7.5- 19.el7_5 @rhel_server7 389-ds-base-snmp.x86_64 1.3.7.5- 19.el7_5 @rhel_server7 389-ds-console.noarch 1.2.16-1.el7 @epel
Do I have to do something to enable/install the PBKDF2_SHA256 password storage scheme? _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o rg
Hi William,
PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS crypto provider. At start up it will drop and error in your logs like "crypto provider not available" or something.
It's only available in 1.4.x. on fedora today, and will be supported in a "future version" for EL.
The plugin "exists" in 1.3.x because that's where I developed it (against fedora) at the time, but due to a mistake on my part, I allowed it to be configured and built on EL7. For that I apologise.
this is very interesting to me. We had a discussion on PBKDF2_SHA256 on RHEL 7.4 last autumn: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Does your quote here explain the behavior I saw in our discussion?
I'm confused now because we still have the PBKDF2_SHA256 plugin enabled on our servers and the Directory Manager password is actually hashed using PBKDF2_SHA256. It does work and I also cannot find any log messages containing "crypto" or "provider".
We are currently using RHEL 7.5 and 389-ds-base 1.3.7.5-19.el7_5.
Thanks, Marian
On 05/15/2018 03:19 AM, Marian Rainer-Harbach wrote:
Hi William,
PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS crypto provider. At start up it will drop and error in your logs like "crypto provider not available" or something.
It's only available in 1.4.x. on fedora today, and will be supported in a "future version" for EL.
The plugin "exists" in 1.3.x because that's where I developed it (against fedora) at the time, but due to a mistake on my part, I allowed it to be configured and built on EL7. For that I apologise.
this is very interesting to me. We had a discussion on PBKDF2_SHA256 on RHEL 7.4 last autumn: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Does your quote here explain the behavior I saw in our discussion?
I'm confused now because we still have the PBKDF2_SHA256 plugin enabled on our servers and the Directory Manager password is actually hashed using PBKDF2_SHA256. It does work and I also cannot find any log messages containing "crypto" or "provider".
We are currently using RHEL 7.5 and 389-ds-base 1.3.7.5-19.el7_5.
This does not affect Fedora or RHEL (so you are okay), only epel builds like Centos. The good news is that it is not used by default in 389-ds-base-1.3.x, so nothing is broken out of the box for those platforms.
Thanks, Marian _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users@lists.fedoraproject.org