unhashed#user#password visible after changing password

Solution Unverified - Updated -

Issue

  • When a user changes their password in Red Hat Directory Server or 389, that the unhashed#user#password attribute (which stores the password in plaintext format, for the purposes of password policy and Windows sync), is available for any authenticed user to view. Any user who can successfully bind to the directory server can request and view this attribute under certain conditions, without administrative privileges. This attribute is only exposed in the time between a user changing their password and the directory server being restarted.

  • When the password for an LDAP user was changed, and audit logging was enabled (it is disabled by default), the new password was written to the audit log in plain text form.

Environment

  • Red Hat Enterprise Linux 6 / Red Hat Directory Server 9
    • 389-ds-base
  • Red Hat Directory Server 8
    • redhat-ds-base

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content