https://bugs.openldap.org/show_bug.cgi?id=10254
Issue ID: 10254 Summary: Allow upgrading password hash on bind Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: me@floriswesterman.nl Target Milestone: ---
Many OpenLDAP installations are likely to contain relatively old password hashes such as SSHA and CRYPT, as modern alternatives such as Argon are only recent additions. Due to the nature of password hashes, it is of course not possible to "unhash" the old values and rehash them with a more modern algorithm. The presence of these old password hashes poses a liability in case of information leaks or hacks.
Currently, the only way to upgrade a password hash is to wait for the user to change their password. This can be sped up by expiring passwords and forcing users to change them. However, this can be slow and frequent password rotation is no longer considered a best practice.
It would be a very helpful addition to add support for upgrading a password hash on bind. This is implemented in the 389 directory server: https://www.port389.org/docs/389ds/design/pwupgrade-on-bind.html
Essentially, when a user binds, the password is checked like normal. In case of a successful bind, the proposed feature would check the hash algorithm used for the password; and in case it is not equal to the current `olcPasswordHash` value, the user-provided password is rehashed using the new algorithm and stored. This way, the old hashes are phased out more quickly, without being a disturbance to users.
https://bugs.openldap.org/show_bug.cgi?id=10254
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- Fantastic idea.
https://bugs.openldap.org/show_bug.cgi?id=10254
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Likely implement as an new option in slapo-ppolicy
https://bugs.openldap.org/show_bug.cgi?id=10254
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Status|UNCONFIRMED |IN_PROGRESS See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7981 Ever confirmed|0 |1
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- https://git.openldap.org/openldap/openldap/-/merge_requests/763
https://bugs.openldap.org/show_bug.cgi?id=10254
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |TEST
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- • 40683654 by Ondřej Kuzník at 2025-06-23T16:47:48+00:00 ITS#10254 Fix password_scheme to return full hash specification
• dcd60d1d by Ondřej Kuzník at 2025-06-23T16:47:48+00:00 ITS#10254 Let slapo-ppolicy rehash user's password
https://bugs.openldap.org/show_bug.cgi?id=10254
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- • a73e45df by Ondřej Kuzník at 2025-08-05T15:35:34+00:00 ITS#10254 Fill in documentation
• 06480123 by Ondřej Kuzník at 2025-08-05T15:35:34+00:00 ITS#10254 Fix rehashing logic and add tests
• 0734bc33 by Ondřej Kuzník at 2025-08-05T15:35:34+00:00 ITS#10254 Do not trigger pwdReset when rehashing
-
openldap-its@openldap.org