[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap support SHA-256 or SHA-3.

To: Simone Piccardi <piccardi@truelite.it>, openldap-technical@openldap.org
Subject: Re: Openldap support SHA-256 or SHA-3.
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Wed, 08 Jan 2020 08:19:56 -0800
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com E7295CF079
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1578500395; bh=9YzWiAFGOPbfWpz0xy5LeMdy07JZKgBpl2x4UhrJq0Q=; h=Date:From:To:Message-ID:MIME-Version; b=ASD6u4ztUKfJ4D9v7z/gB5BHzbMuDtJTP6Y6qp5ELYzLH4areAOlSbDMvRxgxVUBx LDgILGaySt/jYJ5xQGPNWGAoL/cd0uLAvmYJh46lH7LOmLCFxbEPeWLZi3H7br29yQ BR1OPs+iZmzdtA3jGC2j8qj/EoBIatbkKTC1czXjBFkzIywtTKJxKJuglQvXXaoDlF WTDIYK0KNnCyDeb6Nt/2NUrOnmfZckDUOc0LVSZLnY5zxHUNw+Z+tID+R1dG+QYU9M L2ABtO+YdmlZNKjX4AALi+zwmh9+dlVHmOhhol9GZdM8dZKMW60qThU2ucxOHnDvkj NY5NeLgR1PayQ==
In-reply-to: <460c547b-c13a-d57e-7c7b-7ad9642b5e59@truelite.it>
References: <CALm_Vjh4vgOBu8kZrJzRheAyqbZVL0OoE-nRAvc1z+nb-Eow9Q@mail.gmail.com> <67753E9A5A2A2945F035E0CC@192.168.1.144> <CALm_Vji=Mok7kkZ96+EEAu_Osw0rVjBANBrdejKFs=fEr--3HQ@mail.gmail.com> <1C6038D9E08BE216B90B3FF4@[192.168.1.144]> <7209ad32-c522-bc3e-e863-a5ff72c18e8b@stroeder.com> <7180359711BF1270F919BD53@[192.168.1.144]> <930e4cf3-240f-155e-1cbc-c74f68b9ba3e@stroeder.com> <CA17B510ABD069A7884B759C@[192.168.1.144]> <460c547b-c13a-d57e-7c7b-7ad9642b5e59@truelite.it>

--On Wednesday, January 8, 2020 10:27 AM +0100 Simone Piccardi<piccardi@truelite.it> wrote:

Il 08/01/20 03:05, Quanah Gibson-Mount ha scritto:


In any case, I've been advocating for several years now to get rid of
SSHA as the default hashing mechanism and replace it with something that
may actually have some security value.


But in the current version it better to use the contrib module, or
delegate the hashing to the C library? I'm currently using on new install:

password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"

but I'm using only Linux, I don't know if this is applicable on other OS.

The use of CRYPT may be non-portable. In addition to the SSHA2 passwordmodule, there's a module on github that allows the use of bcrypt:


<https://github.com/wclarie/openldap-bcrypt/>

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Michael Ströder <michael@stroeder.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Openldap support SHA-256 or SHA-3.
  - From: Simone Piccardi <piccardi@truelite.it>

Prev by Date: structural objectclass checking
Next by Date: Re: Replication account problem
Index(es):
- Chronological
- Thread