Re: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2

On 3/18/21 8:32 AM, Dario García Díaz-Miguel wrote: Note that SUSE announced not to support OpenLDAP server packages anymore. This might be a fallout of this decision. You should challenge this stupid policy. Not only because of password hashing, but also because release 2.4.46 is three years old. Newer OpenLDAP releases have many important fixes. Thus for my customers I'm maintaining own builds e.g. for SLE15SP2 which install in a different prefix. Feel free to use that or branch from that to your own OBS project: https://build.opensuse.org/package/show/home:stroeder:openldap24/openldap-ms https://download.opensuse.org/repositories/home:/stroeder:/openldap24/SLE... More important you should be aware that {SHA256} password hash scheme is really weak. Because SHA-2 are fast and only one hash round is applied. Another option you should be able to directly use is {CRYPT} as Dale already mentioned in his answer. In my Æ-DIR's default config I'm currently using password-hash {CRYPT} password-crypt-salt-format "$6$rounds=20000$%.16s" See man page crypt(5) to find that $6$ is sha512crypt and I'm using 20000 rounds. This is better than a simple SHA-2 hash. Caveat: {CRYPT} hashes are not portable. But most modern Linuxes support this since several years. Ciao, Michael.