389-ds-bot
commented
4 years ago Comment from nhosoi (@nhosoi) at 2013-07-03 04:34:05
git patch file (master) 0001-Ticket-47419-Unhashed-userpassword-can-accidentally-.patch
Closed 389-ds-bot closed 4 years ago
389-ds-bot
commented
4 years ago Comment from nhosoi (@nhosoi) at 2013-07-03 04:34:05
git patch file (master) 0001-Ticket-47419-Unhashed-userpassword-can-accidentally-.patch
389-ds-bot
commented
4 years ago Comment from nhosoi (@nhosoi) at 2013-07-03 04:34:42
Bug description: Change made in commit 4305deeaa41ea8703ebb9ea6529790dd609b3060 sets LDAP_MOD_IGNORE to unhashed password in mods once it's stashed in an entry extenstion. It could be freed any time once pack_mods is called.
Fix description: This patch stops setting LDAP_MOD_IGNORE to unhashed password in mods.
389-ds-bot
commented
4 years ago Comment from nhosoi (@nhosoi) at 2013-07-03 08:05:46
Reviewed by Nathan (Thanks!!)
Pushed to master: commit cce8d346c308f0852aaf6e74775180cb7d8ccfaa Pushed to 389-ds-base-1.3.1: commit f8fabcb4b4adf8cb0d734c385bcfd115c86ec27c Pushed to 389-ds-base-1.3.0: commit e1816e836484132ae9053cf48904cbb6f4855f7c
389-ds-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2013-07-19 00:37:21
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=985013 (''Red Hat Enterprise Linux 7'')
389-ds-bot
commented
4 years ago Comment from nhosoi (@nhosoi) at 2017-02-11 22:54:03
Metadata Update from @nhosoi:
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47419
An issue was encountered with FreeIPA where mods for the unhashed#user#password attribute are removed from the mods list before their 389 DS password policy plug-in is called. This plug-in expects the unhashed#user#password mod to be present.
After some investigation, it turns out that we correctly move the cleartext password into an unhashed#user#password mod just before we call the preop plug-ins in modify.c. By the time the FreeIPA password policy plug-in is called, the unhashed#user#password mod has been removed from the list of mods. It turns out that this happens when the FreeIPA UUID plug-in passes the mods out and resets them in the pblock:
(gdb) c Continuing. [Switching to Thread 0x7f36667e4700 (LWP 1862)] Hardware watchpoint 7: pb->pb_op->o_params.p.p_modify.modify_mods[9]
Old value = (LDAPMod ) 0x7f36993eb140 New value = (LDAPMod ) 0x0 slapi_ch_free (ptr=ptr@entry=0x7f3699776098) at ldap/servers/slapd/ch_malloc.c:365 365 if(!counters_created) (gdb) bt 0 slapi_ch_free (ptr=ptr@entry=0x7f3699776098) at ldap/servers/slapd/ch_malloc.c:365 1 0x00007f3698929834 in pack_mods (modsp=modsp@entry=0x7f3699a144f0) at ldap/servers/slapd/modutil.c:504 2 0x00007f369892a01e in slapi_mods_get_ldapmods_passout (smods=0x7f3699a144f0) at ldap/servers/slapd/modutil.c:545 3 0x00007f368dd16bb1 in ipauuid_pre_op (pb=, modtype=4) at ipa_uuid.c:1180
4 0x00007f3698936255 in plugin_call_func (list=0x7f369945c080, operation=operation@entry=405,
pb=pb@entry=0x7f36999641c0, call_one=call_one@entry=0) at ldap/servers/slapd/plugin.c:1453
5 0x00007f36989363ba in plugin_call_list (pb=0x7f36999641c0, operation=405, list=)
at ldap/servers/slapd/plugin.c:1415
6 plugin_call_plugins (pb=pb@entry=0x7f36999641c0, whichfunction=whichfunction@entry=405)
at ldap/servers/slapd/plugin.c:398
7 0x00007f36989267dd in op_shared_modify (pb=pb@entry=0x7f36999641c0, pw_change=pw_change@entry=1, old_pw=0x0)
at ldap/servers/slapd/modify.c:1052
8 0x00007f3698927db2 in do_modify (pb=0x7f36999641c0) at ldap/servers/slapd/modify.c:415
9 0x00007f3698df4d58 in connection_threadmain () at ldap/servers/slapd/connection.c:596
10 0x00007f3696f2ae6d in _pt_root (arg=0x7f3699960ca0) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:191
11 0x00007f36968ccc53 in start_thread (arg=0x7f36667e4700) at pthread_create.c:308
12 0x00007f36965f9ecd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
The issue here is that pack_mods() is removing mods for attributes that have the "ignore" flag set. The unhashed#user#password mod has this flag set, so it gets removed. This was caused by the patch for ticket 47391. The unhashed#user#password mod can't be deleted, as it's needed for plug-ins like the FreeIPA password policy plug-in and for the replication changelog.