OpenLDAP Faq-O-Matic: Does OpenLDAP support {SHA512}, {SHA256} or other SHA-2 hash algorithms?

	OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Passwords : Does OpenLDAP support {SHA512}, {SHA256} or other SHA-2 hash algorithms?
	OpenLDAP does not support SHA-2 password hash formats directly, but there is a third-party module available: http://www.openldap.org/its/index.cgi/Contrib?id=5660 jeff@atlassian.com
	You can have indirect support through the {CRYPT} algorithm if your system's crypt() function supports it, as on a recent GNU/Linux. You should care about portability when doing that though. bernard@massot.ath.cx
	Since OpenLDAP release 2.4.32 SHA-2 algorithms are supported by the overlay slapo-pw-sha2 which is found under contrib/ and has to be built separately. michael@stroeder.com
	Many distributions include the pw-sha2 overlay now and allow for {SHA256}, {SHA512}, and salted variants. elizabeth@interlinked.me
	I found it very difficult to mesh the moving parts that are necessary to enable SHA512 passwords on Debian and Ubuntu. I got it to work and documented the process here: TL;DR: Read up on `EXOP`, make sure you don't have a basedn in `/etc/pam_ldap.conf`, have the proper ACL, make sure you have this (`olcPasswordCryptSaltFormat: $6$%.16s`) in `olcDatabase={-1}frontend`. Passwords are then stored in LDAP like this: {CRYPT}$6$bCFmhgGp8n9T403x$kwTl5QRsRRPHiTsRfPuIbRydXuidEMlvk0QhltoZVVTibNPNcYmbQWMqbD6kXlts5GY8f5n707kExdAbQttNC1 chadmatsalla@gmail.com
	Just to state the obvious, SHA-256 and SHA-512 based "glibc" crypt algorithms $5$ and $6$ are totally different from plain (or salted) "{SHA256}" algorithms. The libc crypt variants do a lot of nonsensical transpositions to increase the computational load. b.eckenfels@seeburger.de
	[Append to This Answer]

Previous:	Why is my userPassword encrypted?
Next:	New Item

This document is: http://www.openldap.org/faq/index.cgi?file=1467

	[Search]	[Appearance]
This is a Faq-O-Matic 2.721.test.