On Thu, Mar 16, 2023 at 10:08 AM Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Saturday, March 11, 2023 7:51 PM +0100 Stefan Kania stefan@kania-online.de wrote:
For a rootdn
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$ZGJmZ2lrbmpiZHZzZ3NhdmRzZw$J6eXYSxY4 tDs4l8SdBkIwcAU0OqEEdR0gpFNJ5MSqQs
This makes sense, since you can't use the ldapv3 password modify operation to update this password value.
and a posix or simpleSecurityObject:
dn: uid=repl-user,ou=users,dc=example,dc=net changetype: modify replace: userPassword userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNsYXQ5ODc2NTQzMg$Td51W49s0X74o m++/EnMRsP4La3x46KufcGGY01T8+M
This doesn't make sense. You should be using an ldapv3 password modify operation on the user account in question and letting the server do the hashing (and also allows password policies, if deployed, to be used).
If I understand things correctly... The server does not hash the password. The server never gets to see the plaintext password.
See https://www.postgresql.org/message-id/379034.1673389287%40sss.pgh.pa.us .
Jeff