On Tue, Mar 04, 2025 at 07:48:41AM +0000, Windl, Ulrich wrote:
Hi!
After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Before I had tried "replace" instead of "add", and I tried to place both values in one line as suggested by slapd-config: olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
The manual page also states: This setting is only allowed in the frontend entry.
Not sure, sounds like a typo somewhere but I would question the need to add more than one olcPasswordHash BTW. It specifies what hash will be used to hash a new password, it is *not* used to specify the hashes that the server understands (that's achieved by loading the appropriate module as you've done already).
If you put 2 hashes in there and send a password modify, the user will now have 2 userPassword values (the same password hashed with both), that's rarely useful and for instance the ppolicy overlay very much doesn't like that situation.
Regards,