The way how unhashed password is stored in the entry was changed by this ticket: Ticket #402 - nhashed#user#password in entry extension.
It used to be put in the attribute list in the entry. The [Ticket #402] patch changed it to store in the entry extension. https://fedorahosted.org/389/ticket/402 Ticket #402 patch is available in 389-ds-base-1.3.0. To provide the migration period, the unhashed password is currently stored in the both places (389-ds-base-1.3.0). The old attribute list method is going to be disabled in 389-ds-base-1.3.1. (Please see also https://fedorahosted.org/389/ticket/561 "disable writing unhashed#user#password to changelog")
I'm afraid that we may need to ask the freeipa code to adjust to the update. The change could be tested using 389-ds-base-1.3.0, on which both the deprecated attribute type method as well as the entry extension method are supported.
To retrieve the unhashed password from the entry extension, please use this API:
/** * Get entry extension * * \param entry is the entry to retrieve the extension from * \param vals is the array of (Slapi_Value *), which directly refers the extension. Caller must duplicate it to use it for other than referring. * * \return LDAP_SUCCESS if successful. * \return non-zero otherwise. */ int slapi_pw_get_entry_ext(Slapi_Entry *entry, Slapi_Value ***vals);
To store the unhashed password to the entry extension, please use this API:
/** * Set entry extension * * \param entry is the entry to set the extension to * \param vals is the array of (Slapi_Value *), which is consumed in slapi_pw_set_ext if the call is successful. * \param flags: SLAPI_EXT_SET_ADD -- add vals to the existing extension if any. * SLAPI_EXT_SET_REPLACE -- replace vals with the existing extension if any. * No difference if there is no extension in the entry. * * \return LDAP_SUCCESS if successful. * \return non-zero otherwise. */ int slapi_pw_set_entry_ext(Slapi_Entry *entry, Slapi_Value **vals, int flags);
If just first password is needed in the string format, this API is available:
/** * Get stashed clear password. * If multiple of them are in the extension, the first one is returned. * * \param entry is the entry to retrieve the extension from * * \return a pointer to the clear password string. Caller is responsible to free the string. */ char *slapi_get_first_clear_text_pw(Slapi_Entry *entry);
Fix description formatting and Ticket links.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=915796
I was able to fix our ipa-pwd-extop pre_add plugin and the fix works fine. Noriko, do you have any advice how we should fix the pre_mod plugin? I.e. this:
static int ipapwd_pre_mod(Slapi_PBlock *pb) { ... lmod = slapi_mods_get_first_mod(smods); while (lmod) { ... } else if (slapi_attr_types_equivalent(lmod->mod_type, "unhashed#user#password")) { /* we check for unahsehd password here so that we are sure to * catch them early, before further checks go on, this helps * checking LDAP_MOD_DELETE operations in some corner cases later. * We keep only the last one if multiple are provided for any * reason */ if (!lmod->mod_bvalues || !lmod->mod_bvalues[0]) { rc = LDAP_OPERATIONS_ERROR; goto done; } bv = lmod->mod_bvalues[0]; slapi_ch_free_string(&unhashedpw); unhashedpw = slapi_ch_malloc(bv->bv_len+1); if (!unhashedpw) { rc = LDAP_OPERATIONS_ERROR; goto done; } memcpy(unhashedpw, bv->bv_val, bv->bv_len); unhashedpw[bv->bv_len] = '\0'; } lmod = slapi_mods_get_next_mod(smods); } ...
I assume that unhashed#user#password will also not work in this case. How should I get the clear text password from the LDAPMod?
LDAPMod
Thanks.
Replying to [comment:5 mkosek]:
I was able to fix our ipa-pwd-extop pre_add plugin and the fix works fine. Noriko, do you have any advice how we should fix the pre_mod plugin? I.e. this: ... I assume that unhashed#user#password will also not work in this case. How should I get the clear text password from the LDAPMod?
...
Hi, Martin. Thanks for the update! I'm glad you could change ipa-pwd-extop, successfully! Regarding retrieving a unhashed password from LDAPMod, it's supposed to remain the same. So, I expect the existing code works. Do you have a problem to retrieve it from the mod? If so, please let me know... There could be something we need to fix for 1.3.1... Thanks!
Replying to [comment:6 nhosoi]:
Replying to [comment:5 mkosek]: I was able to fix our ipa-pwd-extop pre_add plugin and the fix works fine. Noriko, do you have any advice how we should fix the pre_mod plugin? I.e. this: ... I assume that unhashed#user#password will also not work in this case. How should I get the clear text password from the LDAPMod? Hi, Martin. Thanks for the update! I'm glad you could change ipa-pwd-extop, successfully! Regarding retrieving a unhashed password from LDAPMod, it's supposed to remain the same. So, I expect the existing code works. Do you have a problem to retrieve it from the mod? If so, please let me know... There could be something we need to fix for 1.3.1... Thanks!
Hi Noriko, thanks for reply. Do I understand it right that unhashed#user#password read from LDAPMod will still work in 389-ds-base-3.1.0 and thus we do not need to touch it in the ipa-pwd-extop?
unhashed#user#password
Replying to [comment:8 mkosek]:
Hi Martin! That's correct. (And that's my intention. If not, please let me know / open a 389 ticket...) Thanks! --noriko
attachment freeipa-mkosek-383-use-new-389-ds-base-cleartext-password-api.patch
Patch freeipa-mkosek-383-use-new-389-ds-base-cleartext-password-api.patch sent for review
master: dcc6f13
Metadata Update from @nhosoi: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.