Tuesday, December 7, 2021

[389-users] Re: Recent commits in stable 389ds branches - discussion

>>> 3) A new default plugin requirement, the plugin being written in Rust - probably
>>> its introduction is FIPS-related (Issue 3584 - Fix PBKDF2_SHA256 hashing in
>>> FIPS mode).
>> This was a very important fix to get into 1.4.4, usually big changes do not land
>> in 1.4.4 anymore, but this one needed to get in.
> This change was about the C code, not Rust code if I recall correctly, since
> that's the inbuilt PBKDF2_SHA256 module, not the pwdchan one with openldap
> compat. The RUST pbkdf2 module has existed since early 1.4.4 and that's needed
> for openldap migration which we at SUSE enable by default (I don't think RH do
> yet).

the changes in dse.ldif in that issue (3584) made libpwdchan-plugin required for the server (new entries in in cn=Password Storage Schemes,cn=plugins,cn=config).

>>> See my comment
>>> https://github.com/389ds/389-ds-base/issues/5008#issuecomment-983759224. Rust
>>> becomes a requirement for building the server, which is fine, but then it
>>> should be enabled by default in "./configure". Without it the server does not
>>> compile the new plugin and complains about it when starting:
>>> [01/Dec/2021:12:54:04.460194603 +0100] - ERR - symload_report_error - Could not
>>> open library "/Local/dirsrv/lib/dirsrv/plugins/libpwdchan-plugin.so" for plugin
>>> PBKDF2
>> Yes I do understand this frustration, and it is now fixed for non-rust builds.
> I think this error specifically came about if you did a rust build, then you
> took rust away, it created some leftovers in dse.ldif I think (?).
No, actually i have never installed rust on any of our production or build servers. dse.ldif now integrates by default rust-written plugins but --enable-rust is not a default option in ./configure, that was in fact the problem.

Thank you, William!

389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment