Convert existing openLDAP password from SSHA to SHA-1
William Muriithi
william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Aug 19 21:55:14 UTC 2011
Thanks guys
On 19 August 2011 15:42, Alexandre Cavalcante Alencar <
alexandre.alencar-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Hi Lennart,
> Sure, but for this case, Google Directory Sync only support plain SHA-1 or
> MD5.
Lennart, as Alexandre has mentioned google application do not support salted
hashes. So essentially, the changes I am about to apply will weaken the
password strength considering they are currently SSHA, but this look like
the only way Directory Sync will be usable
Thanks again for the help and great weekend!
Regatds,
William
> Best Regards
> Alexandre Alencar
> Twitter @alexandreitpro
> http://blog.alexandrealencar.net/
> http://www.alexandrealencar.net/
> http://www.alexandrealencar.com
> http://www.servicosdeti.com.br/
> COBIT, ITIL, CSM, LPI, MCP-I
>
>
>
>
> On Fri, Aug 19, 2011 at 4:34 PM, Lennart Sorensen
> <lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org> wrote:
>>
>> On Fri, Aug 19, 2011 at 04:30:11PM -0300, Alexandre Cavalcante Alencar
>> wrote:
>> > Willian, you can do so by changing *password-hash *param from your
>> > slapd.conf file. This param takes one or more hashing functions to be
>> > used
>> > for storing password hashed version.
>> >
>> > As stated in slapd.conf (5) man page:
>> >
>> > {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with
a
>> > seed as of {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter
>> > with a seed.
>>
>> Of course the seed makes it vastly harder to crack and is hence
>> recommended. So given the choice if you want hard to crack hashes,
>> use SSHA, not SHA. Or use the available plugin and go to SHA2 instead.
>>
>> > You can add the following to make your setup work
>> >
>> > password-hash {SSHA} {SHA}
>> >
>> > or
>> >
>> > password-hash {SSHA} {MD5}
>> >
>> > This will add a new userPassword attribute to objects when they call
the
>> > LDAP Password Modify Extended Operations (RFC 3062).
>> >
>> > As of stated in man page:
>> >
>> > Note that this option does not alter the normal user applications
>> > handling
>> > of userPassword during LDAP Add, Modify, or other LDAP operations.
>> >
>> > After making the change in slapd.conf, you need to restart the deamon
>> > and
>> > let all users change their passwords (in normal fashion or forced by
>> > password expire).
>>
>> --
>> Len Sorensen
>> --
>> The Toronto Linux Users Group. Meetings: http://gtalug.org/
>> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110819/d6430a88/attachment.html>
More information about the Legacy
mailing list