Convert existing openLDAP password from SSHA to SHA-1
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri Aug 19 19:34:08 UTC 2011
On Fri, Aug 19, 2011 at 04:30:11PM -0300, Alexandre Cavalcante Alencar wrote:
> Willian, you can do so by changing *password-hash *param from your
> slapd.conf file. This param takes one or more hashing functions to be used
> for storing password hashed version.
>
> As stated in slapd.conf (5) man page:
>
> {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a
> seed as of {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
> with a seed.
Of course the seed makes it vastly harder to crack and is hence
recommended. So given the choice if you want hard to crack hashes,
use SSHA, not SHA. Or use the available plugin and go to SHA2 instead.
> You can add the following to make your setup work
>
> password-hash {SSHA} {SHA}
>
> or
>
> password-hash {SSHA} {MD5}
>
> This will add a new userPassword attribute to objects when they call the
> LDAP Password Modify Extended Operations (RFC 3062).
>
> As of stated in man page:
>
> Note that this option does not alter the normal user applications handling
> of userPassword during LDAP Add, Modify, or other LDAP operations.
>
> After making the change in slapd.conf, you need to restart the deamon and
> let all users change their passwords (in normal fashion or forced by
> password expire).
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list