Buchan Milne writes:
On Wednesday 04 June 2008 20:02:55 Jeroen van Aart wrote:
Currently we use {CRYPT} passwords. I would like to know if there is a way to use {SHA} passwords.
Yes. See for example the slappasswd man page.
Though why use SHA instead of the default SSHA (salted SHA)? Even CRYPT passwords have a salt.
Could existing passwords be in some way converted to {SHA}?
Except by brute-forcing, no.
You could write an overlay to intercept Simple Bind operations: If the current userPassword is a {CRYPT} and the user-provided password matches it, SHA-hash the user-provided password and replace the stored CRYPT with the new SHA. Though this does make it a bit dubious to claim that the new SHA hash has the strength of SHA rather than the strength it inherited from CRYPT...
(...) The best option here is to change the default password hashing method (see the 'password-hash' directive for slapd.conf), and force password changes (if done via an LDAP password change extended operation, slapd will take care of hashing the password correctly).
And there ought to be a password expiry policy in place so users will need to change old passwords anyway. If LDAP is your authorative store for passwords, see man slapo-ppolicy.