[389-users] changelog

Tue Jun 4 20:52:49 UTC 2013

Hi,

How to modify the attribute nsslapd-encryptionalgorithm in Centos?

Thanks,

Denise
Stop Master servers and set nsslapd-encryptionalgorithm.  The allowed value is AES or 3DES.
   dn: cn=changelog5,cn=config
   [...]
   nsslapd-encryptionalgorithm: AES

--- Em ter, 4/6/13, Rich Megginson <rmeggins at redhat.com> escreveu:

De: Rich Megginson <rmeggins at redhat.com>
Assunto: Re: [389-users] changelog
Para: "Denise Cosso" <guanaes51 at yahoo.com.br>
Data: Terça-feira, 4 de Junho de 2013, 16:34

    On 06/04/2013 01:26 PM, Denise Cosso
      wrote:

            Hi, Rich

              CentOS release 6.3 (Final)

              389-ds-base-libs-1.2.10.2-20.el6_3.x86_64

              389-ds-1.2.2-1.el6.noarch

              389-dsgw-1.1.10-1.el6.x86_64

              389-ds-console-1.2.6-1.el6.noarch

              389-ds-console-doc-1.2.6-1.el6.noarch

              389-ds-base-1.2.10.2-20.el6_3.x86_64

    As far as replication goes - you will need to use a security layer
    (SSL, TLS, or GSSAPI) to protect the clear text password on the wire

    As far as encrypting it in the changelog - not sure

              Denise

              --- Em ter, 4/6/13, Rich Megginson <rmeggins at redhat.com>
              escreveu:

                De: Rich Megginson <rmeggins at redhat.com>

                Assunto: Re: [389-users] changelog

                Para: "General discussion list for the 389 Directory
                server project."
                <389-users at lists.fedoraproject.org>

                Cc: "Denise Cosso" <guanaes51 at yahoo.com.br>

                Data: Terça-feira, 4 de Junho de 2013, 16:11

                    On
                      06/04/2013 12:39 PM, Denise Cosso wrote:

                              Hi,

Description of problem:
When a userPassword is changed in a server with changelog, the hashed password
is logged and also a cleartext pseudo-attribute version.  It looks like this:
change::
replace: userPassword
userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q==
-
replace: unhashed#user#password
unhashed#user#password: secret12

This unhashed version is used in winsync where the cleartext version of the
password must be written to the AD.

Now if the DS is involved in replication with another DS, the change will be
replayed exactly as it is logged to the other DS replicas, including the
cleartext pseudo-attribute password.

                    What platform?  What version of 389-ds-base are you
                    using?

                              thanks,

Denise

                      --
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130604/6b411ee3/attachment.html>