diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py index 95597898e6..da67ed244c 100644 --- a/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py +++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py @@ -9,7 +9,6 @@ import pytest import os from lib389.topologies import topology_st -from lib389.password_plugins import PBKDF2Plugin from lib389.utils import ds_is_older from lib389.migrate.openldap.config import olConfig from lib389.migrate.openldap.config import olOverlayType diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py index 4092bb36df..e5f749c01a 100644 --- a/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py +++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py @@ -9,7 +9,6 @@ import pytest import os from lib389.topologies import topology_st -from lib389.password_plugins import PBKDF2Plugin from lib389.utils import ds_is_older from lib389.migrate.openldap.config import olConfig from lib389.migrate.openldap.config import olOverlayType diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py index bf056f0e05..6935900a55 100644 --- a/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py +++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py @@ -9,7 +9,6 @@ import pytest import os from lib389.topologies import topology_st -from lib389.password_plugins import PBKDF2Plugin from lib389.utils import ds_is_older from lib389.migrate.openldap.config import olConfig from lib389.migrate.openldap.config import olOverlayType diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py index 492c94fc8f..fa41a9daf3 100644 --- a/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py +++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py @@ -9,7 +9,6 @@ import pytest import os from lib389.topologies import topology_st -from lib389.password_plugins import PBKDF2Plugin from lib389.utils import ds_is_older from lib389.migrate.openldap.config import olConfig from lib389.migrate.openldap.config import olOverlayType diff --git a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py index 90dae36ec7..6652013b15 100644 --- a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py +++ b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py @@ -8,7 +8,7 @@ # import pytest from lib389.topologies import topology_st -from lib389.password_plugins import PBKDF2Plugin +from lib389.password_plugins import PBKDF2SHA256Plugin from lib389.utils import ds_is_older pytestmark = pytest.mark.tier1 @@ -35,18 +35,18 @@ def test_pbkdf2_upgrade(topology_st): """ # Remove the pbkdf2 plugin config - p1 = PBKDF2Plugin(topology_st.standalone) + p1 = PBKDF2SHA256Plugin(topology_st.standalone) assert(p1.exists()) p1._protected = False p1.delete() # Restart topology_st.standalone.restart() # check it's been readded. - p2 = PBKDF2Plugin(topology_st.standalone) + p2 = PBKDF2SHA256Plugin(topology_st.standalone) assert(p2.exists()) # Now restart to make sure we still work from the non-bootstrap form topology_st.standalone.restart() - p3 = PBKDF2Plugin(topology_st.standalone) + p3 = PBKDF2SHA256Plugin(topology_st.standalone) assert(p3.exists()) diff --git a/dirsrvtests/tests/suites/pwp_storage/storage_test.py b/dirsrvtests/tests/suites/pwp_storage/storage_test.py index ed0dd9e533..6522f7e155 100644 --- a/dirsrvtests/tests/suites/pwp_storage/storage_test.py +++ b/dirsrvtests/tests/suites/pwp_storage/storage_test.py @@ -18,13 +18,56 @@ from lib389.topologies import topology_st as topo from lib389.idm.user import UserAccounts, UserAccount -from lib389._constants import DEFAULT_SUFFIX +from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD, ErrorLog from lib389.config import Config -from lib389.password_plugins import PBKDF2Plugin, SSHA512Plugin +from lib389.password_plugins import ( + SSHA512Plugin, + PBKDF2SHA1Plugin, + PBKDF2SHA256Plugin, + PBKDF2SHA512Plugin +) from lib389.utils import ds_is_older pytestmark = pytest.mark.tier1 +PBKDF2_NUM_ITERATIONS_DEFAULT = 100000 + +PBKDF2_SCHEMES = [ + ('PBKDF2-SHA1', PBKDF2SHA1Plugin, PBKDF2_NUM_ITERATIONS_DEFAULT), + ('PBKDF2-SHA256', PBKDF2SHA256Plugin, PBKDF2_NUM_ITERATIONS_DEFAULT), + ('PBKDF2-SHA512', PBKDF2SHA512Plugin, PBKDF2_NUM_ITERATIONS_DEFAULT) +] + + +@pytest.fixture(scope="function") +def new_user(request, topo): + """Fixture to create and clean up a test user for each test""" + # Generate unique user ID based on test name + uid = f'new_user_{request.node.name[:20]}' + + # Create user + users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + user = users.create(properties={ + 'uid': uid, + 'cn': 'Test User', + 'sn': 'User', + 'uidNumber': '1000', + 'gidNumber': '2000', + 'homeDirectory': f'/home/{uid}' + }) + + def fin(): + try: + # Ensure we're bound as DM before cleanup + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + if user.exists(): + user.delete() + except Exception as e: + log.error(f"Error during user cleanup: {e}") + + request.addfinalizer(fin) + return user + def user_config(topo, field_value): """ @@ -62,6 +105,248 @@ def test_check_password_scheme(topo, value): user.delete() +@pytest.mark.parametrize('scheme_name,plugin_class,default_rounds', PBKDF2_SCHEMES) +def test_pbkdf2_default_rounds(topo, new_user, scheme_name, plugin_class, default_rounds): + """Test PBKDF2 schemes with default iteration rounds. + + :id: bd58cd76-14f9-4d54-9793-ee7bba8e5369 + :parametrized: yes + :setup: Standalone + :steps: + 1. Remove any existing rounds configuration + 2. Verify default rounds are used + 3. Set password and verify hash format + 4. Test authentication + :expectedresults: + 1. Pass + 2. Pass + 3. Pass + 4. Pass + """ + try: + # Flush logs + topo.standalone.restart() + topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN)) + topo.standalone.deleteErrorLogs() + + plugin = plugin_class(topo.standalone) + plugin.remove_all('nsslapd-pwdpbkdf2numiterations') + topo.standalone.restart() + + topo.standalone.config.replace('passwordStorageScheme', scheme_name) + + current_rounds = plugin.get_rounds() + assert current_rounds == default_rounds, \ + f"Expected default {default_rounds} rounds, got {current_rounds}" + + new_user.set('userPassword', 'Secret123') + pwd_hash = new_user.get_attr_val_utf8('userPassword') + assert pwd_hash.startswith('{' + scheme_name.upper() + '}') + assert str(default_rounds) in pwd_hash + + topo.standalone.simple_bind_s(new_user.dn, 'Secret123') + + assert topo.standalone.searchErrorsLog( + f'Number of iterations for {scheme_name} password scheme set to {default_rounds} from default' + ) + finally: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + + +@pytest.mark.parametrize('scheme_name,plugin_class,default_rounds', PBKDF2_SCHEMES) +def test_pbkdf2_rounds_reset(topo, new_user, scheme_name, plugin_class, default_rounds): + """Test PBKDF2 schemes rounds reset to defaults. + + :id: 59bf95c5-6a07-4db1-81eb-d59b54436826 + :parametrized: yes + :setup: Standalone + :steps: + 1. Set custom rounds for PBKDF2 plugin + 2. Verify custom rounds are used + 3. Remove rounds configuration + 4. Verify defaults are restored + 5. Test password operations with default rounds + :expectedresults: + 1. Pass + 2. Pass + 3. Pass + 4. Pass + 5. Pass + """ + try: + # Flush logs + topo.standalone.restart() + topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN)) + topo.standalone.deleteErrorLogs() + + test_rounds = 25000 + plugin = plugin_class(topo.standalone) + plugin.set_rounds(test_rounds) + topo.standalone.restart() + + current_rounds = plugin.get_rounds() + assert current_rounds == test_rounds, \ + f"Expected {test_rounds} rounds, got {current_rounds}" + + plugin.remove_all('nsslapd-pwdpbkdf2numiterations') + topo.standalone.restart() + + current_rounds = plugin.get_rounds() + assert current_rounds == default_rounds, \ + f"Expected default {default_rounds} rounds after reset, got {current_rounds}" + + topo.standalone.config.replace('passwordStorageScheme', scheme_name) + + new_user.set('userPassword', 'Secret123') + pwd_hash = new_user.get_attr_val_utf8('userPassword') + assert pwd_hash.startswith('{' + scheme_name.upper() + '}') + assert str(default_rounds) in pwd_hash + + topo.standalone.simple_bind_s(new_user.dn, 'Secret123') + + assert topo.standalone.searchErrorsLog( + f'Number of iterations for {scheme_name} password scheme set to {default_rounds} from default' + ) + finally: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + + +@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES) +@pytest.mark.parametrize('rounds', [10000, 20000, 50000]) +def test_pbkdf2_custom_rounds(topo, new_user, scheme_name, plugin_class, _, rounds): + """Test PBKDF2 schemes with custom iteration rounds. + + :id: 6bec6542-ed8d-4a0e-89d6-e047757767c2 + :parametrized: yes + :setup: Standalone + :steps: + 1. Set custom rounds for PBKDF2 plugin + 2. Verify rounds are set correctly + 3. Set password and verify hash format + 4. Test authentication + 5. Verify rounds in password hash + :expectedresults: + 1. Pass + 2. Pass + 3. Pass + 4. Pass + 5. Pass + """ + try: + # Flush logs + topo.standalone.restart() + topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN)) + topo.standalone.deleteErrorLogs() + + plugin = plugin_class(topo.standalone) + plugin.set_rounds(rounds) + topo.standalone.restart() + + current_rounds = plugin.get_rounds() + assert current_rounds == rounds, \ + f"Expected {rounds} rounds, got {current_rounds}" + + topo.standalone.config.replace('passwordStorageScheme', scheme_name) + + new_user.set('userPassword', 'Secret123') + pwd_hash = new_user.get_attr_val_utf8('userPassword') + assert pwd_hash.startswith('{' + scheme_name.upper() + '}') + assert str(rounds) in pwd_hash + + topo.standalone.simple_bind_s(new_user.dn, 'Secret123') + + assert topo.standalone.searchErrorsLog( + f'Number of iterations for {scheme_name}' + ) + finally: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + + +@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES) +def test_pbkdf2_invalid_rounds(topo, scheme_name, plugin_class, _): + """Test PBKDF2 schemes with invalid iteration rounds. + + :id: 4e5b4f37-c97b-4f58-b5c5-726495d9fa4e + :parametrized: yes + :setup: Standalone + :steps: + 1. Try to set invalid rounds (too low and too high) + 2. Verify appropriate errors are raised + 3. Verify original rounds are maintained + :expectedresults: + 1. Pass + 2. Pass + 3. Pass + """ + # Flush logs + topo.standalone.restart() + topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN)) + topo.standalone.deleteErrorLogs() + + plugin = plugin_class(topo.standalone) + plugin.enable() + + original_rounds = plugin.get_rounds() + + with pytest.raises(ValueError) as excinfo: + plugin.set_rounds(5000) + assert "rounds must be between 10,000 and 10,000,000" in str(excinfo.value) + + with pytest.raises(ValueError) as excinfo: + plugin.set_rounds(20000000) + assert "rounds must be between 10,000 and 10,000,000" in str(excinfo.value) + + current_rounds = plugin.get_rounds() + assert current_rounds == original_rounds, \ + f"Rounds changed from {original_rounds} to {current_rounds}" + + +@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES) +def test_pbkdf2_rounds_persistence(topo, new_user, scheme_name, plugin_class, _): + """Test PBKDF2 rounds persistence across server restarts. + + :id: b15de1ae-53ac-429f-991b-cea5e6a7b383 + :parametrized: yes + :setup: Standalone + :steps: + 1. Set custom rounds for PBKDF2 plugin + 2. Restart server + 3. Verify rounds are maintained + 4. Set password and verify hash + 5. Test authentication + :expectedresults: + 1. Pass + 2. Pass + 3. Pass + 4. Pass + 5. Pass + """ + try: + # Flush logs + topo.standalone.restart() + topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN)) + topo.standalone.deleteErrorLogs() + + test_rounds = 15000 + plugin = plugin_class(topo.standalone) + plugin.set_rounds(test_rounds) + topo.standalone.restart() + + current_rounds = plugin.get_rounds() + assert current_rounds == test_rounds, \ + f"Expected {test_rounds} rounds after restart, got {current_rounds}" + + topo.standalone.config.replace('passwordStorageScheme', scheme_name) + + new_user.set('userPassword', 'Secret123') + pwd_hash = new_user.get_attr_val_utf8('userPassword') + assert str(test_rounds) in pwd_hash + + topo.standalone.simple_bind_s(new_user.dn, 'Secret123') + finally: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + + def test_clear_scheme(topo): """Check clear password scheme. @@ -106,27 +391,27 @@ def test_check_two_scheme(topo): user.delete() @pytest.mark.skipif(ds_is_older('1.4'), reason="Not implemented") -def test_check_pbkdf2_sha256(topo): - """Check password scheme PBKDF2_SHA256. +def test_check_pbkdf2_sha512(topo): + """Check password scheme PBKDF2-SHA512 is restored after deletion :id: 31612e7e-33a6-11ea-a750-8c16451d917b :setup: Standalone :steps: - 1. Try to delete PBKDF2_SHA256. - 2. Should not deleted PBKDF2_SHA256 and server should up. + 1. Try to delete PBKDF2-SHA512. + 2. Should not deleted PBKDF2-SHA512 and server should up. :expectedresults: 1. Pass 2. Pass """ - value = 'PBKDF2_SHA256' + value = 'PBKDF2-SHA512' user = user_config(topo, value) assert '{' + f'{value.lower()}' + '}' in \ UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower() - plg = PBKDF2Plugin(topo.standalone) + plg = PBKDF2SHA512Plugin(topo.standalone) plg._protected = False plg.delete() topo.standalone.restart() - assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == 'PBKDF2_SHA256' + assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == value assert topo.standalone.status() user.delete() diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in index d2b02f8be9..264cc51e06 100644 --- a/ldap/ldif/template-dse-minimal.ldif.in +++ b/ldap/ldif/template-dse-minimal.ldif.in @@ -195,6 +195,7 @@ nsslapd-pluginenabled: on dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init @@ -208,6 +209,7 @@ nsslapd-pluginDescription: PBKDF2 dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA1 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init @@ -221,6 +223,7 @@ nsslapd-pluginDescription: PBKDF2-SHA1\ dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA256 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init @@ -234,6 +237,7 @@ nsslapd-pluginDescription: PBKDF2-SHA256\ dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA512 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index b1736ccc28..1def62aed4 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -243,6 +243,7 @@ nsslapd-pluginenabled: on dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init @@ -256,6 +257,7 @@ nsslapd-pluginDescription: PBKDF2 dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA1 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init @@ -269,6 +271,7 @@ nsslapd-pluginDescription: PBKDF2-SHA1\ dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA256 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init @@ -282,6 +285,7 @@ nsslapd-pluginDescription: PBKDF2-SHA256\ dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin +objectClass: pwdPBKDF2PluginConfig cn: PBKDF2-SHA512 nsslapd-pluginpath: libpwdchan-plugin nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index c98e5b34b3..bfe8259f82 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -332,6 +332,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2391 NAME 'dsEntryDN' DESC '389 Director attributeTypes: ( 2.16.840.1.113730.3.1.2392 NAME 'nsslapd-return-original-entrydn' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2393 NAME 'nsslapd-auditlog-display-attrs' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsslapd-haproxy-trusted-ip' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2400 NAME 'nsslapd-pwdPBKDF2NumIterations' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Directory Server' ) # # objectclasses # @@ -353,3 +354,4 @@ objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netsc objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.332 NAME 'nsChangelogConfig' DESC 'Configuration of the changelog5 object' SUP top MUST ( cn $ nsslapd-changelogdir ) MAY ( nsslapd-changelogmaxage $ nsslapd-changelogtrim-interval $ nsslapd-changelogmaxentries $ nsslapd-changelogsuffix $ nsslapd-changelogcompactdb-interval $ nsslapd-encryptionalgorithm $ nsSymmetricKey ) X-ORIGIN '389 Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.337 NAME 'rewriterEntry' DESC '' SUP top MUST ( nsslapd-libPath ) MAY ( cn $ nsslapd-filterrewriter $ nsslapd-returnedAttrRewriter ) X-ORIGIN '389 Directory Server' ) +objectClasses: ( 2.16.840.1.113730.3.2.340 NAME 'pwdPBKDF2PluginConfig' DESC 'PBKDF2 Password Storage Plugin configuration' SUP top MAY ( nsslapd-pwdPBKDF2NumIterations ) X-ORIGIN '389 Directory Server' ) diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c index eb8c9a4fee..3db7b7840c 100644 --- a/ldap/servers/slapd/config.c +++ b/ldap/servers/slapd/config.c @@ -43,6 +43,7 @@ static char *bootstrap_plugins[] = { "dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config\n" "objectclass: top\n" "objectclass: nsSlapdPlugin\n" + "objectClass: pwdPBKDF2PluginConfig\n" "cn: PBKDF2-SHA512\n" "nsslapd-pluginpath: libpwdchan-plugin\n" "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init\n" diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index 00509654cd..11f65db548 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -218,6 +218,7 @@ static const char *internal_entries[] = "dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config\n" "objectclass: top\n" "objectclass: nsSlapdPlugin\n" + "objectClass: pwdPBKDF2PluginConfig\n" "cn: PBKDF2\n" "nsslapd-pluginpath: libpwdchan-plugin\n" "nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init\n" @@ -231,6 +232,7 @@ static const char *internal_entries[] = "dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config\n" "objectclass: top\n" "objectclass: nsSlapdPlugin\n" + "objectClass: pwdPBKDF2PluginConfig\n" "cn: PBKDF2-SHA1\n" "nsslapd-pluginpath: libpwdchan-plugin\n" "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init\n" @@ -244,6 +246,7 @@ static const char *internal_entries[] = "dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config\n" "objectclass: top\n" "objectclass: nsSlapdPlugin\n" + "objectClass: pwdPBKDF2PluginConfig\n" "cn: PBKDF2-SHA256\n" "nsslapd-pluginpath: libpwdchan-plugin\n" "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init\n" diff --git a/src/cockpit/389-console/src/lib/database/globalPwp.jsx b/src/cockpit/389-console/src/lib/database/globalPwp.jsx index cee0c746a5..71ebfaaba4 100644 --- a/src/cockpit/389-console/src/lib/database/globalPwp.jsx +++ b/src/cockpit/389-console/src/lib/database/globalPwp.jsx @@ -91,6 +91,16 @@ const tpr_attrs = [ "passwordtprdelayvalidfrom", ]; +const password_storage_attrs = [ + "nsslapd-pwdpbkdf2numiterations" +]; + +const PBKDF2_SCHEMES = ['pbkdf2', 'pbkdf2-sha1', 'pbkdf2-sha256', 'pbkdf2-sha512']; + +const isPBKDF2Scheme = (scheme) => { + return PBKDF2_SCHEMES.includes(scheme.toLowerCase()); +}; + export class GlobalPwPolicy extends React.Component { constructor(props) { super(props); @@ -104,6 +114,7 @@ export class GlobalPwPolicy extends React.Component { // each field, so we can loop over them to efficently // check for changes, and updating/saving the config. saveGeneralDisabled: true, + savePasswordStorageDisabled: true, saveExpDisabled: true, saveLockoutDisabled: true, saveSyntaxDisabled: true, @@ -120,6 +131,8 @@ export class GlobalPwPolicy extends React.Component { this.handleGeneralChange = this.handleGeneralChange.bind(this); this.handleSaveGeneral = this.handleSaveGeneral.bind(this); + this.handlePasswordStorageChange = this.handlePasswordStorageChange.bind(this); + this.handleSavePasswordStorage = this.handleSavePasswordStorage.bind(this); this.handleExpChange = this.handleExpChange.bind(this); this.handleSaveExp = this.handleSaveExp.bind(this); this.handleLockoutChange = this.handleLockoutChange.bind(this); @@ -129,6 +142,7 @@ export class GlobalPwPolicy extends React.Component { this.handleTPRChange = this.handleTPRChange.bind(this); this.handleSaveTPR = this.handleSaveTPR.bind(this); this.handleLoadGlobal = this.handleLoadGlobal.bind(this); + this.handleLoadPasswordStorage = this.handleLoadPasswordStorage.bind(this); // Select Typeahead this.handleSelectToggle = this.handleSelectToggle.bind(this); this.handleSelectClear = this.handleSelectClear.bind(this); @@ -147,6 +161,68 @@ export class GlobalPwPolicy extends React.Component { this.setState({ activeKey: key }); } + handlePasswordStorageChange(e) { + const value = e.target.type === 'checkbox' ? e.target.checked : e.target.value; + const attr = e.target.id.toLowerCase(); + let disableSaveBtn = true; + + for (const password_storage_attr of password_storage_attrs) { + const storageAttr = password_storage_attr.toLowerCase(); + const oldValue = String(this.state['_' + storageAttr] || ''); + const newValue = String(value || ''); + + if (attr === storageAttr && oldValue !== newValue) { + disableSaveBtn = false; + break; + } + } + + this.setState({ + [attr]: value || '', + savePasswordStorageDisabled: disableSaveBtn, + }); + } + + handleSavePasswordStorage() { + if (!isPBKDF2Scheme(this.state.passwordstoragescheme)) { + return; + } + this.setState({ + saving: true + }); + + const cmd = [ + 'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket", + 'plugin', 'pwstorage-scheme', this.state.passwordstoragescheme.toLowerCase(), + 'set-num-iterations', this.state[password_storage_attrs[0]] + ]; + + log_cmd("handleSavePasswordStorage", "Saving password storage settings", cmd); + cockpit + .spawn(cmd, { superuser: true, err: "message" }) + .done(content => { + this.handleLoadGlobal(); + this.setState({ + saving: false + }); + this.props.addNotification( + "success", + _("Successfully updated number of iterations for password storage scheme") + ); + }) + .fail(err => { + const errMsg = JSON.parse(err); + this.handleLoadGlobal(); + this.setState({ + saving: false + }); + this.props.addNotification( + "error", + cockpit.format(_("Error updating number of iterations for password storage scheme - $0"), errMsg.desc) + ); + }); + } + handleGeneralChange(e) { const value = e.target.type === 'checkbox' ? e.target.checked : e.target.value; const attr = e.target.id; @@ -168,9 +244,18 @@ export class GlobalPwPolicy extends React.Component { } } - this.setState({ + // Create state update object + const stateUpdate = { [attr]: value, saveGeneralDisabled: disableSaveBtn, + }; + + this.setState(stateUpdate, () => { + // If passwordstoragescheme was changed and it's a PBKDF2 scheme, + // load the iterations value + if (attr === 'passwordstoragescheme' && isPBKDF2Scheme(value)) { + this.handleLoadPasswordStorage(true); + } }); } @@ -178,6 +263,15 @@ export class GlobalPwPolicy extends React.Component { this.setState({ saving: true }); + if (!this.state.savePasswordStorageDisabled) { + this.handleSavePasswordStorage(); + } + if (this.state.saveGeneralDisabled) { + this.setState({ + saving: false + }); + return; + } const cmd = [ 'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket", @@ -596,10 +690,74 @@ export class GlobalPwPolicy extends React.Component { }); } + handleLoadPasswordStorage(skipLoading = false) { + if (!skipLoading) { + this.setState({ + loading: true + }); + } + + if (!isPBKDF2Scheme(this.state.passwordstoragescheme)) { + this.setState({ + loading: false, + 'nsslapd-pwdpbkdf2numiterations': '', + '_nsslapd-pwdpbkdf2numiterations': '' + }); + return; + } + + const cmd = [ + 'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket", + 'plugin', 'pwstorage-scheme', this.state.passwordstoragescheme.toLowerCase(), + 'get-num-iterations' + ]; + + log_cmd("handleLoadPasswordStorage", "Load password storage settings", cmd); + cockpit + .spawn(cmd, { superuser: true, err: "message" }) + .done(content => { + const config = JSON.parse(content); + const attrs = config.attrs; + + const stateUpdates = { + 'nsslapd-pwdpbkdf2numiterations': '', + '_nsslapd-pwdpbkdf2numiterations': '' + }; + + if (!skipLoading) { + stateUpdates["loading"] = false + } + password_storage_attrs.forEach(attr => { + const attrLower = attr.toLowerCase(); + const attrValue = attrs[attr] || attrs[attrLower]; + + if (attrValue && attrValue[0]) { + stateUpdates[attrLower] = attrValue[0]; + stateUpdates['_' + attrLower] = attrValue[0]; + } + }); + + this.setState(stateUpdates); + }) + .fail(err => { + const errMsg = JSON.parse(err); + this.setState({ + loading: false, + 'nsslapd-pwdpbkdf2numiterations': '', + '_nsslapd-pwdpbkdf2numiterations': '' + }); + this.props.addNotification( + "error", + cockpit.format(_("Error loading password storage settings - $0"), errMsg.desc) + ); + }); + } + handleLoadGlobal() { this.setState({ loading: true }); + const cmd = [ "dsconf", "-j", "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket", "config", "get" @@ -702,6 +860,7 @@ export class GlobalPwPolicy extends React.Component { loaded: true, loading: false, saveGeneralDisabled: true, + savePasswordStorageDisabled: true, saveUserDisabled: true, saveExpDisabled: true, saveLockoutDisabled: true, @@ -797,8 +956,10 @@ export class GlobalPwPolicy extends React.Component { _passwordtprmaxuse: attrs.passwordtprmaxuse[0], _passwordtprdelayexpireat: attrs.passwordtprdelayexpireat[0], _passwordtprdelayvalidfrom: attrs.passwordtprdelayvalidfrom[0], - }), this.props.enableTree() - ); + }), () => { + this.props.enableTree(); + this.handleLoadPasswordStorage(); + }); }) .fail(err => { const errMsg = JSON.parse(err); @@ -1387,6 +1548,25 @@ export class GlobalPwPolicy extends React.Component { + {isPBKDF2Scheme(this.state.passwordstoragescheme) && ( + + + {_("PBKDF2 Iterations")} + + + { + this.handlePasswordStorageChange(e); + }} + /> + + + )} @@ -1441,7 +1621,7 @@ export class GlobalPwPolicy extends React.Component {