[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-devel
Subject: [Fedora-directory-devel] Please Review: (207893) importing users
From: Nathan Kinder <nkinder () redhat ! com>
Date: 2007-08-24 22:22:24
Message-ID: 46CF5A20.7090504 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893
Resolves: bug 207893
Bug Description: Adding a pre-hashed password to DS when using Windows
Password
Syncronization will trigger a loop condition of password updates. The
DS will
send the hashed password to AD, which thinks it's clear-text. AD
stores the
password, attempts to bind to DS using the hash (which of course
fails), so it
sends the hashed password back to DS. This goes round and round.
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: This fix first checks if there is a password storage
scheme at
the beginning of the userpassword attribute value before syncing it.
If there
is a storage scheme present, a message is logged at the replication
logging level
that this hashed password is being skipped instead of just trying to
sync it.
If someone adds a password with the clear prefix on it to DS (such as
"{clear}secret"), we will detect that and strip off the "{clear}"
prefix before
sending it to AD. All other passwords that start with the "{"
character and
contain the "}" character somewhere else in the password will be
considered to
be already hashed.
Platforms tested: FC6 & Windows 2003 Server
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=172462&action=diff
["smime.p7s" (application/x-pkcs7-signature)]
--
Fedora-directory-devel mailing list
Fedora-directory-devel@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic