On 3/18/21 8:32 AM, Dario García Díaz-Miguel wrote:
We are awared that in order to support SHA-256 we have to load the
contrib module named pw-sha2 which it was included on SLES12SP5 but
is totally missing on SLES15SP2 package.
Note that SUSE announced not to support OpenLDAP server packages
anymore. This might be a fallout of this decision.
This means that we would need to compile it, but due to limitations
of the project we are working on we are not allowed to compile
anything external.
You should challenge this stupid policy. Not only because of
password
hashing, but also because release 2.4.46 is three years old. Newer
OpenLDAP releases have many important fixes.
Thus for my customers I'm maintaining own builds e.g. for SLE15SP2 which
install in a different prefix. Feel free to use that or branch from that
to your own OBS project:
https://build.opensuse.org/package/show/home:stroeder:openldap24/openldap-ms
https://download.opensuse.org/repositories/home:/stroeder:/openldap24/SLE...
More important you should be aware that {SHA256} password hash scheme is
really weak. Because SHA-2 are fast and only one hash round is applied.
Another option you should be able to directly use is {CRYPT} as Dale
already mentioned in his answer.
In my Æ-DIR's default config I'm currently using
password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=20000$%.16s"
See man page crypt(5) to find that $6$ is sha512crypt and I'm using
20000 rounds. This is better than a simple SHA-2 hash.
Caveat: {CRYPT} hashes are not portable. But most modern Linuxes support
this since several years.
Ciao, Michael.