You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 lines
1.7 KiB
46 lines
1.7 KiB
From 3f68ad6ff5aad54f42b51ff69bbc9cb465366096 Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Thu, 20 Jul 2023 16:23:35 -0400
|
|
Subject: [PATCH 07/11] Issue 5825 - healthcheck - update allowed password
|
|
schemes for fips mode
|
|
|
|
Description:
|
|
|
|
In 1.4.3 in fips mode should allow SSHA512 as not all 1.4.3 released versions
|
|
support the new Rust password hashers.
|
|
|
|
relates: https://github.com/389ds/389-ds-base/issues/5825
|
|
|
|
Reviewed by: spichugi(Thanks!)
|
|
---
|
|
src/lib389/lib389/config.py | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
|
|
index 81bf8ec66..a24fe95fc 100644
|
|
--- a/src/lib389/lib389/config.py
|
|
+++ b/src/lib389/lib389/config.py
|
|
@@ -21,7 +21,7 @@ import ldap
|
|
from lib389._constants import *
|
|
from lib389 import Entry
|
|
from lib389._mapped_object import DSLdapObject
|
|
-from lib389.utils import ensure_bytes, selinux_label_port, selinux_present
|
|
+from lib389.utils import ensure_bytes, selinux_label_port, selinux_present, is_fips
|
|
from lib389.lint import (
|
|
DSCLE0001, DSCLE0002, DSCLE0003, DSCLE0004, DSELE0001
|
|
)
|
|
@@ -212,6 +212,10 @@ class Config(DSLdapObject):
|
|
|
|
def _lint_passwordscheme(self):
|
|
allowed_schemes = ['PBKDF2-SHA512', 'PBKDF2_SHA256', 'PBKDF2_SHA512', 'GOST_YESCRYPT']
|
|
+ if is_fips():
|
|
+ # Not all RHEL 8 servers support the Rust password hashers so we
|
|
+ # need to allow SSHA512 in fips mode
|
|
+ allowed_schemes.append('SSHA512')
|
|
u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme')
|
|
u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme')
|
|
if u_root_scheme not in allowed_schemes:
|
|
--
|
|
2.41.0
|
|
|