Convert existing openLDAP password from SSHA to SHA-1

Alexandre Cavalcante Alencar alexandre.alencar-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Aug 19 19:42:32 UTC 2011 

Hi Lennart,

Sure, but for this case, Google Directory Sync only support plain SHA-1 or
MD5.

Best Regards

Alexandre Alencar
Twitter @alexandreitpro
http://blog.alexandrealencar.net/
http://www.alexandrealencar.net/
http://www.alexandrealencar.com
http://www.servicosdeti.com.br/
COBIT, ITIL, CSM, LPI, MCP-I




On Fri, Aug 19, 2011 at 4:34 PM, Lennart Sorensen <
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org> wrote:

> On Fri, Aug 19, 2011 at 04:30:11PM -0300, Alexandre Cavalcante Alencar
> wrote:
> > Willian, you can do so by changing *password-hash *param from your
> > slapd.conf file. This param takes one or more hashing functions to be
> used
> > for storing password hashed version.
> >
> > As stated in slapd.conf (5) man page:
> >
> > {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a
> > seed as of {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
> > with a seed.
>
> Of course the seed makes it vastly harder to crack and is hence
> recommended.  So given the choice if you want hard to crack hashes,
> use SSHA, not SHA.  Or use the available plugin and go to SHA2 instead.
>
> > You can add the following to make your setup work
> >
> > password-hash {SSHA} {SHA}
> >
> > or
> >
> > password-hash {SSHA} {MD5}
> >
> > This will add a new userPassword attribute to objects when they call the
> > LDAP Password Modify Extended Operations (RFC 3062).
> >
> > As of stated in man page:
> >
> > Note that this option does not alter the normal user applications
> handling
> > of userPassword during LDAP Add, Modify, or other LDAP operations.
> >
> > After making the change in slapd.conf, you need to restart the deamon and
> > let all users change their passwords (in normal fashion or forced by
> > password expire).
>
> --
> Len Sorensen
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110819/a051f03d/attachment.html>

More information about the Legacy mailing list