There is a slightly sneaky way to get openldap to support any crypt the native OS will support with the {CRYPT} option. Change the openldap option password-crypt-salt-format. On my servers the value is set to "$6$%.8s" which gives the result of using sha512 (one of several sha2 choices). This trick will depend on which choices are built into your native OS crypt function. In theory look at the crypt(5) man page to find this information. We've been doing this locally for probably a decade and it works well.

On Thu, Mar 18, 2021 at 9:59 AM Dario García Díaz-Miguel <dgdiaz@gmv.com> wrote:

Hello,

We have a question related with the pw-sha2 module.
We have deployed OpenLDAP2.4.46-9.31.1 on SLES15 SP2 from the official Suse Repository and we are able to use {CRYPT} {MD5} {SMD5} {SSHA} and {SHA}.

We are awared that in order to support SHA-256 we have to load the contrib module named pw-sha2 which it was included on SLES12SP5 but is totally missing on SLES15SP2 package. This means that we would need to compile it, but due to limitations of the project we are working on we are not allowed to compile anything external.

So I checked the changelog and I found that support was added on 2.4.32 release.

Is it possible that the openldap2 package could have been compiled with the module features itself and I just need to add some kind of attribute or entry to my LDAP directory in order to enable it?

We have tried to use Apache Directory Studio instead of slappasswd and we have set up a password to SHA256 but the bind won't work. Instead, CRYPT-SHA256 works so I can't figure out why.

I suppose I'm totally misunderstanding this and the compilation of the module is required, but a little light ray of hope is there.

Thank you so much.
Regards.

P Please consider the environment before printing this e-mail.