From 1a192048a49fcdfa8bcfe79e2fa86153b339fac1 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Tue, 13 Dec 2022 17:00:28 -0500

Subject: [PATCH 2/2] Issue 5565 - Change default password storage scheme

Descriptrion:  Becuase of replication we need to use a default storage scheme

that works on 389-ds-base-1.3.10

relates: https://github.com/389ds/389-ds-base/issues/5565

Reviewed by: spichugi & firstyear(thanks!!)

---

 .../tests/suites/healthcheck/health_security_test.py      | 8 ++++----

 dirsrvtests/tests/suites/password/pwp_test.py             | 2 +-

 ldap/servers/slapd/pw.c                                   | 3 ++-

 src/lib389/lib389/config.py                               | 2 +-

 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py

index 519107365..d14b52c7a 100644

--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py

+++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2020 Red Hat, Inc.

+# Copyright (C) 2022 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -113,9 +113,9 @@ def test_healthcheck_insecure_pwd_hash_configured(topology_st):

         standalone.config.set('passwordStorageScheme', 'SSHA512')

         standalone.config.set('nsslapd-rootpwstoragescheme', 'SSHA512')

     else:

-        log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2-SHA512')

-        standalone.config.set('passwordStorageScheme', 'PBKDF2-SHA512')

-        standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2-SHA512')

+        log.info('Set passwordStorageScheme and nsslapd-rootpwstoragescheme to PBKDF2_SHA256')

+        standalone.config.set('passwordStorageScheme', 'PBKDF2_SHA256')

+        standalone.config.set('nsslapd-rootpwstoragescheme', 'PBKDF2_SHA256')

     run_healthcheck_and_flush_log(topology_st, standalone, json=False, searched_code=CMD_OUTPUT)

     run_healthcheck_and_flush_log(topology_st, standalone, json=True, searched_code=JSON_OUTPUT)

diff --git a/dirsrvtests/tests/suites/password/pwp_test.py b/dirsrvtests/tests/suites/password/pwp_test.py

index ce45bc364..190881222 100644

--- a/dirsrvtests/tests/suites/password/pwp_test.py

+++ b/dirsrvtests/tests/suites/password/pwp_test.py

@@ -27,7 +27,7 @@ else:

     if is_fips():

         DEFAULT_PASSWORD_STORAGE_SCHEME = 'SSHA512'

     else:

-        DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2-SHA512'

+        DEFAULT_PASSWORD_STORAGE_SCHEME = 'PBKDF2_SHA256'

 def _create_user(topo, uid, cn, uidNumber, userpassword):

diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c

index 825498858..566ba87dd 100644

--- a/ldap/servers/slapd/pw.c

+++ b/ldap/servers/slapd/pw.c

@@ -280,7 +280,8 @@ pw_name2scheme(char *name)

         } else {

             /* if not, let's setup pbkdf2 */

 #ifdef RUST_ENABLE

-            char *pbkdf = "PBKDF2-SHA512";

+            /* until 1.3.10 supports Rust hashers we can't use PBKDF2-SHA512 by default */

+            char *pbkdf = "PBKDF2_SHA256";

 #else

             char *pbkdf = "PBKDF2_SHA256";

 #endif

diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py

index c7abdf778..c178eb02f 100644

--- a/src/lib389/lib389/config.py

+++ b/src/lib389/lib389/config.py

@@ -209,7 +209,7 @@ class Config(DSLdapObject):

             yield report

     def _lint_passwordscheme(self):

-        allowed_schemes = ['SSHA512', 'PBKDF2-SHA512', 'GOST_YESCRYPT']

+        allowed_schemes = ['SSHA512', 'PBKDF2_SHA256', 'GOST_YESCRYPT']

         u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme')

         u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme')

         if u_root_scheme not in allowed_schemes or u_password_scheme not in allowed_schemes:

-- 

2.38.1