diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2007-09-20 20:27:35 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2007-09-20 20:27:35 +0000 |
| commit | 52c015609915f9fd7593a71eb72b4677d047d2d8 (patch) | |
| tree | bf367bf4fd09bfbd26233c9790a279c3d4c093d2 /ldap/servers/plugins | |
| parent | a2edd8d2be8d0114ca5d7756ebda91420c0e9d1d (diff) | |
| download | ds-52c015609915f9fd7593a71eb72b4677d047d2d8.tar.gz ds-52c015609915f9fd7593a71eb72b4677d047d2d8.tar.xz ds-52c015609915f9fd7593a71eb72b4677d047d2d8.zip | |
Resolves: bug 262021
Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nhosoi (Thanks!)
Fix Description: We still need to be able to decrypt passwords using the broken method. I guess it works on Solaris and HP because the values are already in network byte order. But when the values were encrypted on x86, they were encrypted the wrong way. It is safe to use MIGRATE_BROKEN_PWD on Solaris and HP because it is essentially a no-op. But this allows us to decrypt x86 passwords and store them correctly.
Platforms tested: RHEL4 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Diffstat (limited to 'ldap/servers/plugins')
| -rw-r--r-- | ldap/servers/plugins/rever/des.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/ldap/servers/plugins/rever/des.c b/ldap/servers/plugins/rever/des.c index 014c0876..0db0c4ab 100644 --- a/ldap/servers/plugins/rever/des.c +++ b/ldap/servers/plugins/rever/des.c @@ -478,9 +478,21 @@ static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, return err; } +/* + The UUID name based generator was broken on x86 platforms. We use + this to generate the password encryption key. During migration, + we have to fix this so we can use the fixed generator. The env. + var USE_BROKEN_UUID tells the uuid generator to use the old + broken method to create the UUID. That will allow us to decrypt + the password to the correct clear text, then we can turn off + the broken method and use the fixed method to encrypt the + password. +*/ char * migrateCredentials(char *oldpath, char *newpath, char *oldcred) { + static char *useBrokenUUID = "USE_BROKEN_UUID=1"; + static char *disableBrokenUUID = "USE_BROKEN_UUID"; char *plain = NULL; char *cipher = NULL; @@ -489,8 +501,15 @@ migrateCredentials(char *oldpath, char *newpath, char *oldcred) slapd_pk11_configurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0 ); NSS_NoDB_Init(NULL); + if (getenv("MIGRATE_BROKEN_PWD")) { + putenv(useBrokenUUID); + } + if ( decode_path(oldcred, &plain, oldpath) == 0 ) { + if (getenv("MIGRATE_BROKEN_PWD")) { + putenv(disableBrokenUUID); + } if ( encode_path(plain, &cipher, newpath) != 0 ) return(NULL); else |