[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Change Defaulth ssha passoword encryption algorithm

To: Net Warrior <netwarrior863@gmail.com>
Subject: Re: Change Defaulth ssha passoword encryption algorithm
From: David Magda <dmagda@ee.ryerson.ca>
Date: Thu, 25 Aug 2016 19:46:00 -0400
Cc: OpenLDAP Technical Discussion list <openldap-technical@openldap.org>
In-reply-to: <57BF24C3.1050101@gmail.com>
References: <57BF18EA.7000105@gmail.com> <bd547a54-5d67-8297-2e9a-ce37ee2a3ca5@savoirfairelinux.com> <57BF24C3.1050101@gmail.com>

It depends on what your operating system’s crypt(3) supports. Most Linux/Unix system should support MD5crypt, but that is no longer considered secure (per the original author, PHK).

If you want to use SHA256crypt you would use:

	olcPasswordCryptSaltFormat: $5$%.16s

If you want to use SHA512crypt, then

	olcPasswordCryptSaltFormat: $6$%.16s

The SHA2crypt family is discussed more at:

	https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme
	https://www.akkadia.org/drepper/sha-crypt.html

I’m not sure what the difference/s between SHA2crypt and SSHA2 is/are. Most Linux distributions use SHA512crypt to secure root’s password in the shadow(5) file if that means anything.


> On Aug 25, 2016, at 13:02, Net Warrior <netwarrior863@gmail.com> wrote:
> 
> Thank you very much for that!! do  you know if it support md5crypt or if there any stong algorithm instead? for example phpldapadmin has it as an option, but I want to force it.
> 
> Best regards
> Thanks for your time and support
> 
> 
> 
> On 08/25/2016 01:23 PM, Clément OUDOT wrote:
>> Le 25/08/2016 à 18:12, Net Warrior a écrit :
>> 
>>> Hi Guys
>>> 
>>> I need some guidance on this, I configured a ppolicy for a DIT which has all the users in plain password, I added to following to the policy
>>> 
>>> changetype: modify
>>> replace: olcPPolicyHashCleartext
>>> olcPPolicyHashCleartext: FALSE
>>> 
>>> When the user reset it password, it changes from clear password to encrypted using ssha but I want to store them using md5crypt, what do I need to change in my configuration?
>>> 
>> 
>> See olcPasswordHash parameter.
>> 
>> From man slapd-config :
>> 
>>       olcPasswordHash: <hash> [<hash>...]
>>              This  option  configures  one  or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP
>>              Password Modify Extended Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and  {CLEARTEXT}.   The  default  is
>>              {SSHA}.
>> 
>>              {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed.
>> 
>>              {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed.
>> 
>>              {CRYPT} uses the crypt(3).
>> 
>>              {CLEARTEXT} indicates that the new password should be added to userPassword as clear text.
>> 
>>              Note  that  this  option  does not alter the normal user applications handling of userPassword during LDAP Add, Modify, or other LDAP operations.  This
>>              setting is only allowed in the frontend entry.
>> 
>> 
>> 
>

Follow-Ups:
- Re: Change Defaulth ssha passoword encryption algorithm
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Change Defaulth ssha passoword encryption algorithm
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: Change Defaulth ssha passoword encryption algorithm
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Change Defaulth ssha passoword encryption algorithm
  - From: Net Warrior <netwarrior863@gmail.com>

Prev by Date: rootDN problems with slapd-config
Next by Date: Re: Change Defaulth ssha passoword encryption algorithm
Index(es):
- Chronological
- Thread