This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.1
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.1 by this push:
new b6cb5b2 Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
b6cb5b2 is described below
commit b6cb5b2e84b4b812d696db02b7004f4781236e4b
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 15:05:25 2020 -0400
Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
Description:
FreeIPA LDAP update code relies on the schema retrieval when
deciding what to do with values of single-valued LDAP attributes.
In the case attribute is single-valued and some value was present
in the original entry for this attribute, it would use MOD_REPLACE.
Otherwise, it uses MOD_DELETE + MOD_ADD.
Many attributes used in cn=config entries have no formal schema
defined. Since by default an attribute is multi-valued, this fails
the logic above for actual single-valued attributes, like
nsslapd-enable-upgrade-hash. It means FreeIPA has to write special
logic to handle just this attribute.
It would be good to expose schema for nsslapd-enable-upgrade-hash.
We need to change its value to off in all FreeIPA installations
because ipa-pwd-extop plugin prevents hashed passwords in updates
due to a need to regenerate Kerberos hashes on a password change.
It means upgrade of a password hash on LDAP bind will never work
in FreeIPA.
Note - this does move us closer to our goal of adding all the
configuration attributes to the schema.
fixes:
https://pagure.io/389-ds-base/issue/51078
Reviewed by: mreynolds (one line commit rule)
---
ldap/schema/01core389.ldif | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index f4123f2..24e81f9 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -314,6 +314,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2353 NAME
'nsslapd-encryptionalgorithm'
attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A
symmetric key - currently used by attribute encryption' SYNTAX
1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'attribute encryption' )
attributeTypes: ( 2.16.840.1.113730.3.1.2364 NAME
'nsds5replicaLastInitStatusJSON' DESC 'Netscape defined attribute type'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN
'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME
'nsds5replicaLastUpdateStatusJSON' DESC 'Netscape defined attribute type'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN
'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2370 NAME 'nsslapd-enable-upgrade-hash'
DESC 'Upgrade password hash on bind' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE X-ORIGIN '389 Directory Server' )
#
# objectclasses
#
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.