Closed 389-ds-bot closed 4 years ago
Comment from nhosoi (@nhosoi) at 2012-06-25 23:56:41
Note: this problem is temporarily observed. Once the server is restarted and the unhashed password is no longer stored in the entry in memory, the userpassword could be successfully removed. $ ldapmodify -x ... dn: uid=tuser1, o=my.com changetype: modify delete: userpassword userpassword: {SSHA}zWIkZAgHamvu9fw6w26JHerN5HfEkobJ/TRN+g==
modifying entry uid=tuser1, o=my.com
Comment from rmeggins (@richm) at 2012-08-14 19:57:05
set default ticket origin to Community
Comment from nkinder (@nkinder) at 2012-08-28 04:14:55
Added initial screened field value.
Comment from nhosoi (@nhosoi) at 2012-11-15 01:37:24
I reran the test...
I see "No such attribute" (as expected) if the password storage scheme is non-clear (e.g., SSHA).
$ ldapmodify ...
dn: uid=tuser0,o=my.com
changetype: modify
delete: userpassword
userpassword: tuser0
modifying entry uid=tuser0,o=my.com
ldap_modify: No such attribute
If I set clear to password storage scheme, the deletion works fine.
$ ldapmodify ...
dn: uid=tuser1,o=my.com
changetype: modify
delete: userpassword
userpassword: tuser1
modifying entry uid=tuser1,o=my.com
}}
This bug was fixed with this ticket.
https://fedorahosted.org/389/ticket/455
Comment from nhosoi (@nhosoi) at 2012-11-15 03:10:53
Bug Description: Attempting to delete an existing, encoded, password using
the clear text password fails with an error 16 (no such attribute)
Fix Description: If performing a delete of a specific userpassword, check the existing
password values for their encoding. Then encode the clear text password
for comparision, and the delete the match.
May I ask what behaviours does your patch changes?
If the userpassword is hashed by, e.g., SSHA, you can now delete the specific password with the password string? (Or it still fails, but you can get a better error message?)
And I'm curious why these lines are not necessary any more?
841 /* delete pseudo password attribute if it exists in the entry */
842 if (!slapi_entry_attr_find(e, unhashed_pw_attr, &a)) {
843 slapi_mods_add_mod_values(&smods, pw_mod->mod_op,
844
Comment from mreynolds (@mreynolds389) at 2012-11-15 03:17:55
The patch now allows you to use the clear text password to delete the encoded one in the entry.
As for the removed code... I don't see unhashed_userpassword in the entry after adding/replacing userpassword, and you implied that was expected. I asked you to double check and you said it was ok. So I removed that code.
Comment from nhosoi (@nhosoi) at 2012-11-15 03:34:32
Replying to [comment:8 mreynolds389]:
The patch now allows you to use the clear text password to delete the encoded one in the entry.
As for the removed code... I don't see unhashed_userpassword in the entry after adding/replacing userpassword, and you implied that was expected. I asked you to double check and you said it was ok. So I removed that code.
Now the unhashed userpassword is stashed in the entry object extension. In case the entry in the entry cache has it and we delete a specified password, we want to delete the stashed unhashed userpassword, too. To do so, mods need to have the operation, I think.
Comment from mreynolds (@mreynolds389) at 2012-11-15 20:05:46
Replying to [comment:9 nhosoi]:
Replying to [comment:8 mreynolds389]:
The patch now allows you to use the clear text password to delete the encoded one in the entry.
As for the removed code... I don't see unhashed_userpassword in the entry after adding/replacing userpassword, and you implied that was expected. I asked you to double check and you said it was ok. So I removed that code.
Now the unhashed userpassword is stashed in the entry object extension. In case the entry in the entry cache has it and we delete a specified password, we want to delete the stashed unhashed userpassword, too. To do so, mods need to have the operation, I think.
I still have the original code that cleaned up the unhashed userpassword, so I'll add it back in. I'll send the new patch out shortly.
Comment from mreynolds (@mreynolds389) at 2012-11-20 03:17:59
Added the password extension changes 0001-Ticket-394-modify-delete-userpassword.patch
Comment from mreynolds (@mreynolds389) at 2012-11-20 03:54:39
git merge ticket394 Updating 32ab01f..ecf3cc3 Fast-forward ldap/servers/slapd/modify.c | 170 ++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 161 insertions(+), 9 deletions(-)
[mareynol@localhost ds]$ git push origin master Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 2.77 KiB, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 32ab01f..ecf3cc3 master -> master
Comment from nkinder (@nkinder) at 2013-03-07 00:12:40
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=918684
Comment from mreynolds (@mreynolds389) at 2017-02-11 22:56:30
Metadata Update from @mreynolds389:
Comment from nkinder (@nkinder) at 2014-01-20 21:37:59
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1053232 (''Red Hat Enterprise Linux 6'')
Comment from mreynolds (@mreynolds389) at 2014-01-21 01:36:59
attachment 0001-Ticket-47678-modify-delete-userpassword.patch
Comment from nhosoi (@nhosoi) at 2014-01-22 22:54:00
Noriko, can you give me the official ack in the ticket?
Sure! My pleasure.
Comment from mreynolds (@mreynolds389) at 2014-01-22 22:59:26
git merge ticket47678 Updating d128dbd..a3b6e22 Fast-forward ldap/servers/slapd/modify.c | 168 ++++++++++++++++++++++++++++++++++-- ldap/servers/slapd/slapi-plugin.h | 11 --- 2 files changed, 158 insertions(+), 21 deletions(-)
git push origin 389-ds-base-1.2.11 Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 2.42 KiB, done. Total 7 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git d128dbd..a3b6e22 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit a3b6e22cec1fb8cb5c55e8b848bec4a60f924849 Author: Mark Reynolds mreynolds389@redhat.com Date: Mon Jan 20 14:36:43 2014 -0500
Comment from nkinder (@nkinder) at 2017-02-11 23:07:04
Metadata Update from @nkinder:
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/394
Steps to duplicate this issue:
delete the userpassword with the value. ldapmodify ... dn: uid=tuser0,ou=People,dc=example,dc=com changetype: modify delete: userpassword userpassword: newpassword
ldap_modify: No such attribute
Internally, the newpassword in the mod has the value:
while the value in the entry is hashed differently.
The failed point:
Next, I tried the returned value from search, then the userPassword value matches the one in the entry.
But, now it fails to delete unhashed#user#password in the entry since it stores the clear text.
We can specially delete the unhashed password without checking the value. But if an entry has multiple userPasswords, it may cause a problem if we cannot delete just one of them... Even if we stash the clear text passwords in the extension (as I'm working on it now), we still have the same problem. Probably, the right thing to do would be letting modify-delete take a clear text password and we should match the passwords considering the hash?