[Fedora-directory-devel] Please Review: (207893) importing users with crypted passwords results in a AD->DS sync loop
Nathan Kinder
nkinder at redhat.com
Fri Aug 24 22:22:24 UTC 2007
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893
Resolves: bug 207893
Bug Description: Adding a pre-hashed password to DS when using Windows
Password
Syncronization will trigger a loop condition of password updates. The
DS will
send the hashed password to AD, which thinks it's clear-text. AD
stores the
password, attempts to bind to DS using the hash (which of course
fails), so it
sends the hashed password back to DS. This goes round and round.
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: This fix first checks if there is a password storage
scheme at
the beginning of the userpassword attribute value before syncing it.
If there
is a storage scheme present, a message is logged at the replication
logging level
that this hashed password is being skipped instead of just trying to
sync it.
If someone adds a password with the clear prefix on it to DS (such as
"{clear}secret"), we will detect that and strip off the "{clear}"
prefix before
sending it to AD. All other passwords that start with the "{"
character and
contain the "}" character somewhere else in the password will be
considered to
be already hashed.
Platforms tested: FC6 & Windows 2003 Server
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=172462&action=diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070824/7fb4c853/attachment.bin>
More information about the Fedora-directory-devel
mailing list