search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
210 stars 90 forks source link

passwordHistory is not updated with a pre-hashed password #6092

Open jchapma opened 7 months ago

jchapma commented 7 months ago

Issue Description passwordHistory is not updated by with a pre-hashed password

Package Version and Platform:

Steps to Reproduce

  1. Enable pwdhistory and nsslapd-allow-hashed-passwords 
    sudo dsconf -D cn=dm  -b "dc=example,dc=com" -w password inst01 pwpolicy set --pwdhistory on
sudo dsconf -D cn=dm  -b "dc=example,dc=com" -w password inst01 config replace nsslapd-allow-hashed-passwords=on
  2. Create aci to allow users change their password 
    ldapmodify -x -D cn=dm -H ldap://localhost:389 -w password  << 'EOF'
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="userpassword || passwordHistory")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)
EOF
  3. Create hashed password 
    pwdhash -s PBKDF2_SHA256 supersecretpassword
  4. Update a users password as regular user 
    ldapmodify -D uid=test_user,ou=people,dc=example,dc=com -H ldap://localhost:389 -w password << 'EOF'
dn: uid=jamie,ou=people,dc=example,dc=com
changetype: modify
replace: userpassword
userpassword: {PBKDF2_SHA256}AAAgADbVmRsA75ralHYSVQ9gE5ZrYifmIztk+8as2HHUPbbNP2kZtT+rXFHVUJ3d3X3uVezNoYQ88Hjj2IXqopu0trckhUg1tspv2+di0I1wGmytJGpLn+/t4GdtHp/FrI/vDZLMKxnc6PlJVkKdHZa3H1ny1dsMlo0gf4y9Mm3hPfM8Mfbf6QH2V/03gCFzjmhJB85xKJpidwGt5CMb0kQ33FtCgrZLKQBQB4K6sQa4WyRevwxZ1u0/FTSTuGjVWUIsP7QE602a9fJtBGW1dXhn92aUP8mRmx+RBOdik+mHvTwa+RTqc8S9PEy5KwCCn3dAJiIkso9EiwI2Mt+it391IxDD3ndK7H9LlwIMqVR3AgVBMKDdH6ibE1oDAsEd5X68fve5FcJtAQJ46dlltHaH3IdmfYqIP+U36UMbX15grifj
EOF
  5. Display users password history 
    ldapsearch -D "cn=dm"  -H ldap://localhost:389 -w password -b "uid=jamie,ou=people,dc=example,dc=com" passwordHistory

Actual results No password history for user

Expected results Password change history for user

jchapma commented 5 months ago

ca378867c..05ea98212 389-ds-base-3.0 -> 389-ds-base-3.0 3f74a6603..5c2fef262 389-ds-base-2.5 -> 389-ds-base-2.5 6586fbe6e..f08f00841 389-ds-base-2.4 -> 389-ds-base-2.4 93d456d6f..04254a021 389-ds-base-2.3 -> 389-ds-base-2.3 8ec72791f..9366eddc9 389-ds-base-2.2 -> 389-ds-base-2.2 c8407c10b..e78e79375 389-ds-base-2.1 -> 389-ds-base-2.1 0c496fe7d..635fdda8e 389-ds-base-2.0 -> 389-ds-base-2.0 eccd7a314..ab2e2327a 389-ds-base-1.4.4 -> 389-ds-base-1.4.4 afcae9185..ce4a5540b 389-ds-base-1.4.3 -> 389-ds-base-1.4.3