#149 RFE: cleartext userPassword value is sent unencrypted
Closed: wontfix None Opened 12 years ago by mkosek.

https://bugzilla.redhat.com/show_bug.cgi?id=182509

Description of problem:
When a changelog is enabled and a userPassword is modified, both the hash and
the cleartext are logged for winsync's benefit:
change::
replace: userPassword
userPassword: {SSHA}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12

The change (including the cleartext password) is sent to replicas (where the
cleartext password is actually ignored, see #182507).

We should probably require that MMR is configured with SSL if passwords are
sent
in the clear.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Configure two replicas with MMR, M1 and M2.
2.Change a userPassword in M2.


Actual results:


Expected results:


Additional info:

This issue had been already treated when bz 182507 was solved.

commit changeset:7aef407/389-ds-base
Author: Noriko Hosoi nhosoi@jiji.usersys.redhat.com
Date: Wed Dec 15 13:01:04 2010 -0800

Bug 182507 - clear-password mod from replica is discarded before changelogge

https://bugzilla.redhat.com/show_bug.cgi?id=182507

Description:
Replication drops unhashed passwords which is necessary for
the AD password sync.  This patch allows the passwords replicated
and introduces a method to encrypt logs in the changelog.

See also http://directory.fedoraproject.org/wiki/Changelog_Encryption

already fixed in 1.2.9 or earlier

Added initial screened field value.

Metadata Update from @nkinder:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.10

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/149

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata