On 05/15/2018 03:19 AM, Marian Rainer-Harbach wrote:
> Hi William,
>
>> PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS
>> crypto provider. At start up it will drop and error in your logs like
>> "crypto provider not available" or something.
>>
>> It's only available in 1.4.x. on fedora today, and will be supported in
>> a "future version" for EL.
>>
>> The plugin "exists" in 1.3.x because that's where I developed it
>> (against fedora) at the time, but due to a mistake on my part, I
>> allowed it to be configured and built on EL7. For that I apologise.
> this is very interesting to me. We had a discussion on PBKDF2_SHA256 on RHEL 7.4 last autumn: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/3SPWGFI7JX4V5U4ACOX4P3BSQVF5XEWB/
>
> Does your quote here explain the behavior I saw in our discussion?
>
> I'm confused now because we still have the PBKDF2_SHA256 plugin enabled on our servers and the Directory Manager password is actually hashed using PBKDF2_SHA256. It does work and I also cannot find any log messages containing "crypto" or "provider".
>
> We are currently using RHEL 7.5 and 389-ds-base 1.3.7.5-19.el7_5.
This does not affect Fedora or RHEL (so you are okay), only epel builds
like Centos. The good news is that it is not used by default in
389-ds-base-1.3.x, so nothing is broken out of the box for those platforms.
>
> Thanks,
> Marian
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment