Hi,
I recently upgraded my system from RHEL7 to RHEL8, together with 389ds. Apparently this has caused to upgrade the storage scheme of the user passwords to PBKDF2_SHA256. Everything works fine except freeradius does not support this storage scheme at the moment.
How can I downgrade the storage scheme in 389ds to something that is supported by freeradius in such a way, that doesn't force my users to change their passwords?
Thanks: Laszlo
On 9/22/20 3:42 AM, Tornóci László wrote:
Hi,
I recently upgraded my system from RHEL7 to RHEL8, together with 389ds. Apparently this has caused to upgrade the storage scheme of the user passwords to PBKDF2_SHA256. Everything works fine except freeradius does not support this storage scheme at the moment.
How can I downgrade the storage scheme in 389ds to something that is supported by freeradius in such a way, that doesn't force my users to change their passwords?
Well first you need to change the scheme in cn=config to something like:
passwordStorageScheme: SSHA512
But if passwords are already in PBKDF2, then you will have to reset those passwords. There is no undoing it without a full reset of the password at this time.
HTH,
Mark
Thanks: Laszlo _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi,
On 9/22/20 6:23 PM, Mark Reynolds wrote:
On 9/22/20 3:42 AM, Tornóci László wrote:
Hi,
I recently upgraded my system from RHEL7 to RHEL8, together with 389ds. Apparently this has caused to upgrade the storage scheme of the user passwords to PBKDF2_SHA256. Everything works fine except freeradius does not support this storage scheme at the moment.
How can I downgrade the storage scheme in 389ds to something that is supported by freeradius in such a way, that doesn't force my users to change their passwords?
Well first you need to change the scheme in cn=config to something like:
passwordStorageScheme: SSHA512
But if passwords are already in PBKDF2, then you will have to reset those passwords. There is no undoing it without a full reset of the password at this time.
Yes, that's what the docs say, but a simple bind seems to be enough for me. I tested this and actually I could go back and forth between storage schemes using a simple bind. I am very happy with 389ds, its saved my ass...
Laszlo
HTH,
Mark
Thanks: Laszlo _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 9/22/20 12:33 PM, Tornóci László wrote:
Hi,
On 9/22/20 6:23 PM, Mark Reynolds wrote:
On 9/22/20 3:42 AM, Tornóci László wrote:
Hi,
I recently upgraded my system from RHEL7 to RHEL8, together with 389ds. Apparently this has caused to upgrade the storage scheme of the user passwords to PBKDF2_SHA256. Everything works fine except freeradius does not support this storage scheme at the moment.
How can I downgrade the storage scheme in 389ds to something that is supported by freeradius in such a way, that doesn't force my users to change their passwords?
Well first you need to change the scheme in cn=config to something like:
passwordStorageScheme: SSHA512
But if passwords are already in PBKDF2, then you will have to reset those passwords. There is no undoing it without a full reset of the password at this time.
Yes, that's what the docs say, but a simple bind seems to be enough for me. I tested this and actually I could go back and forth between storage schemes using a simple bind.
In newer versions we do have a "update password on bind", but I didn't think it was in that version and I wasn't sure if it downgraded schemes. I guess it does :-)
I am very happy with 389ds, its saved my ass...
Great, we really appreciate that!
Cheers,
Mark
Laszlo
HTH,
Mark
Thanks: Laszlo _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
passwordStorageScheme: SSHA512
But if passwords are already in PBKDF2, then you will have to reset those passwords. There is no undoing it without a full reset of the password at this time.
Yes, that's what the docs say, but a simple bind seems to be enough for me. I tested this and actually I could go back and forth between storage schemes using a simple bind.
In newer versions we do have a "update password on bind", but I didn't think it was in that version and I wasn't sure if it downgraded schemes. I guess it does :-)
It "updates" to the current default scheme, which if you haven't defined will be PBKDF2, so for most sites it's an "upgrade". But as you note, if you over-ride this and set your own scheme, on bind, yes it will "downgrade" to the type you need. IIRC there is actually a test for that exact use case in the integration test suites ...
I am very happy with 389ds, its saved my ass...
Great, we really appreciate that!
Awesome! If you have more questions we'd love to hear them :)
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
Hi,
On 9/22/20 9:42 AM, Tornóci László wrote:
Hi,
I recently upgraded my system from RHEL7 to RHEL8, together with 389ds. Apparently this has caused to upgrade the storage scheme of the user passwords to PBKDF2_SHA256. Everything works fine except freeradius does not support this storage scheme at the moment.
How can I downgrade the storage scheme in 389ds to something that is supported by freeradius in such a way, that doesn't force my users to change their passwords?
In the meantime I figured out the answer to my question. I can change the default password storage scheme like this (this is global policy):
dsconf INSTANCENAME pwpolicy set --pwdscheme PWDSCHEME
This way I reverted to another scheme that freeradius understands. When a user performs a bind, the userPassword will be overwritten using the new default scheme. So no password change is necessary, only a bind :-) This is on RHEL8, 389-ds-base-1.4.2.4-8
Laszlo
Thanks: Laszlo _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org