This is an automated email from the git hooks/post-receive script.

mreynolds pushed a commit to branch master in repository 389-ds-base.

The following commit(s) were added to refs/heads/master by this push: new 6a0ece1 Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema 6a0ece1 is described below

commit 6a0ece1e5d6c3a6f8d0d4f312a8e3af6f518087d Author: Mark Reynolds mreynolds@redhat.com AuthorDate: Fri May 8 15:05:25 2020 -0400

Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema

Description:

FreeIPA LDAP update code relies on the schema retrieval when deciding what to do with values of single-valued LDAP attributes. In the case attribute is single-valued and some value was present in the original entry for this attribute, it would use MOD_REPLACE. Otherwise, it uses MOD_DELETE + MOD_ADD.

Many attributes used in cn=config entries have no formal schema defined. Since by default an attribute is multi-valued, this fails the logic above for actual single-valued attributes, like nsslapd-enable-upgrade-hash. It means FreeIPA has to write special logic to handle just this attribute.

It would be good to expose schema for nsslapd-enable-upgrade-hash. We need to change its value to off in all FreeIPA installations because ipa-pwd-extop plugin prevents hashed passwords in updates due to a need to regenerate Kerberos hashes on a password change. It means upgrade of a password hash on LDAP bind will never work in FreeIPA.

Note - this does move us closer to our goal of adding all the configuration attributes to the schema.

fixes: https://pagure.io/389-ds-base/issue/51078

Reviewed by: mreynolds (one line commit rule) --- ldap/schema/01core389.ldif | 1 + 1 file changed, 1 insertion(+)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index c1fd7f5..b5478cb 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -317,6 +317,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME 'nsds5replicaLastUpdateStatusJ attributeTypes: ( 2.16.840.1.113730.3.1.2367 NAME 'nsslapd-libPath' DESC 'Rewriter shared library path' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2368 NAME 'nsslapd-filterrewriter' DESC 'Filter rewriter function name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2369 NAME 'nsslapd-returnedAttrRewriter' DESC 'Returned attribute rewriter function name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2370 NAME 'nsslapd-enable-upgrade-hash' DESC 'Upgrade password hash on bind' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) # # objectclasses #