It depends on what your operating system’s crypt(3) supports. Most Linux/Unix system should support MD5crypt, but that is no longer considered secure (per the original author, PHK).
If you want to use SHA256crypt you would use:
olcPasswordCryptSaltFormat: $5$%.16s
If you want to use SHA512crypt, then
olcPasswordCryptSaltFormat: $6$%.16s
The SHA2crypt family is discussed more at:
https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme https://www.akkadia.org/drepper/sha-crypt.html
I’m not sure what the difference/s between SHA2crypt and SSHA2 is/are. Most Linux distributions use SHA512crypt to secure root’s password in the shadow(5) file if that means anything.
On Aug 25, 2016, at 13:02, Net Warrior netwarrior863@gmail.com wrote:
Thank you very much for that!! do you know if it support md5crypt or if there any stong algorithm instead? for example phpldapadmin has it as an option, but I want to force it.
Best regards Thanks for your time and support
On 08/25/2016 01:23 PM, Clément OUDOT wrote:
Le 25/08/2016 à 18:12, Net Warrior a écrit :
Hi Guys
I need some guidance on this, I configured a ppolicy for a DIT which has all the users in plain password, I added to following to the policy
changetype: modify replace: olcPPolicyHashCleartext olcPPolicyHashCleartext: FALSE
When the user reset it password, it changes from clear password to encrypted using ssha but I want to store them using md5crypt, what do I need to change in my configuration?
See olcPasswordHash parameter.
From man slapd-config :
olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a seed. {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed. {CRYPT} uses the crypt(3). {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Note that this option does not alter the normal user applications handling of userPassword during LDAP Add, Modify, or other LDAP operations. This setting is only allowed in the frontend entry.