Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
There is a slightly sneaky way to get openldap to support any crypt the native OS will support with the {CRYPT} option. Change the openldap option password-crypt-salt-format. On my servers the value is set to "$6$%.8s" which gives the result of using sha512 (one of several sha2 choices). This trick will depend on which choices are built into your native OS crypt function. In theory look at the crypt(5) man page to find this information. We've been doing this locally for probably a decade and it works well.
This solution gives you the nice opportunity to create shadow files from LDAP entries if needed. Some systems still work better with local accounts and with above configuration you can keep them synchronized with the rest ouf your organisation by a simple cronjob.
On Thu, Mar 18, 2021 at 9:59 AM Dario García Díaz-Miguel <dgdiaz@gmv.com mailto:dgdiaz@gmv.com> wrote:
Hello, We have a question related with the pw-sha2 module. We have deployed OpenLDAP2.4.46-9.31.1 on SLES15 SP2 from the official Suse Repository and we are able to use {CRYPT} {MD5} {SMD5} {SSHA} and {SHA}. We are awared that in order to support SHA-256 we have to load the contrib module named pw-sha2 which it was included on SLES12SP5 but is totally missing on SLES15SP2 package. This means that we would need to compile it, but due to limitations of the project we are working on we are not allowed to compile anything external. So I checked the changelog and I found that support was added on 2.4.32 release. Is it possible that the openldap2 package could have been compiled with the module features itself and I just need to add some kind of attribute or entry to my LDAP directory in order to enable it? We have tried to use Apache Directory Studio instead of slappasswd and we have set up a password to SHA256 but the bind won't work. Instead, CRYPT-SHA256 works so I can't figure out why. I suppose I'm totally misunderstanding this and the compilation of the module is required, but a little light ray of hope is there. Thank you so much. Regards. P Please consider the environment before printing this e-mail.-- Dale James Thompson, NWS NEXRAD Radar Operations Center IT Specialist, Configuration Management Team
Voice (405) 573-3472 Fax (405) 573-3480 Dale.J.Thompson@noaa.gov mailto:Dale.J.Thompson@noaa.gov