rpms
/
389-ds-base
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '67e21fad93'
${ noResults }
389-ds-base/SOURCES/0004-Issue-5825-healthcheck...

75 lines
3.4 KiB
Raw Blame History

From a490d2428223b6409c0067ddb21936a1a7797cdd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 5 Jul 2023 13:52:50 -0400
Subject: [PATCH 04/11] Issue 5825 - healthcheck - password storage scheme
warning needs more info
Description: Add the current/insecure scheme to the report, and state which
config setting is insecure.
relates: https://github.com/389ds/389-ds-base/issues/5825
Reviewed by: jchapman & spichugi(Thanks!!)
---
src/lib389/lib389/config.py | 13 ++++++++++++-
src/lib389/lib389/lint.py | 10 +++-------
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
index b1a474ebe..81bf8ec66 100644
--- a/src/lib389/lib389/config.py
+++ b/src/lib389/lib389/config.py
@@ -214,9 +214,20 @@ class Config(DSLdapObject):
allowed_schemes = ['PBKDF2-SHA512', 'PBKDF2_SHA256', 'PBKDF2_SHA512', 'GOST_YESCRYPT']
u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme')
u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme')
- if u_root_scheme not in allowed_schemes or u_password_scheme not in allowed_schemes:
+ if u_root_scheme not in allowed_schemes:
report = copy.deepcopy(DSCLE0002)
+ report['detail'] = report['detail'].replace('SCHEME', u_root_scheme)
+ report['detail'] = report['detail'].replace('CONFIG', 'nsslapd-rootpwstoragescheme')
report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
+ report['fix'] = report['fix'].replace('CONFIG', 'nsslapd-rootpwstoragescheme')
+ report['check'] = "config:passwordscheme"
+ yield report
+ if u_password_scheme not in allowed_schemes:
+ report = copy.deepcopy(DSCLE0002)
+ report['detail'] = report['detail'].replace('SCHEME', u_password_scheme)
+ report['detail'] = report['detail'].replace('CONFIG', 'passwordStorageScheme')
+ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
+ report['fix'] = report['fix'].replace('CONFIG', 'passwordStorageScheme')
report['check'] = "config:passwordscheme"
yield report
diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py
index 7ca524315..475ab08bd 100644
--- a/src/lib389/lib389/lint.py
+++ b/src/lib389/lib389/lint.py
@@ -97,20 +97,16 @@ verify, as this adds a cost of work to an attacker.
In Directory Server, we offer one hash suitable for this (PBKDF2-SHA512) and one hash
for "legacy" support (SSHA512).
-Your configuration does not use these for password storage or the root password storage
-scheme.
+Your configured scheme (SCHEME) for 'CONFIG' is not secure
""",
'fix': """Perform a configuration reset of the values:
-passwordStorageScheme
-nsslapd-rootpwstoragescheme
-
-IE, stop Directory Server, and in dse.ldif delete these two lines. When Directory Server
+IE, stop Directory Server, and in dse.ldif delete this line (CONFIG). When Directory Server
is started, they will use the server provided defaults that are secure.
You can also use 'dsconf' to replace these values. Here is an example:
- # dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=PBKDF2-SHA512 nsslapd-rootpwstoragescheme=PBKDF2-SHA512"""
+ # dsconf slapd-YOUR_INSTANCE config replace CONFIG=PBKDF2-SHA512"""
}
DSCLE0003 = {
--
2.41.0
Reference in new issue View Git Blame Copy Permalink