Re: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2
Am 18.03.21 um 16:13 schrieb Dale Thompson - NOAA Federal:
There is a slightly sneaky way to get openldap to support any crypt
the native OS will support with
the {CRYPT} option. Change the openldap option password-crypt-salt-format. On my servers
the value
is set to "$6$%.8s" which gives the result of using sha512 (one of several sha2
choices). This trick
will depend on which choices are built into your native OS crypt function. In theory look
at the
crypt(5) man page to find this information. We've been doing this locally for
probably a decade and
it works well.
This solution gives you the nice opportunity to create shadow files from LDAP entries if
needed.
Some systems still work better with local accounts and with above configuration you can
keep them
synchronized with the rest ouf your organisation by a simple cronjob.
On Thu, Mar 18, 2021 at 9:59 AM Dario García Díaz-Miguel <dgdiaz(a)gmv.com
<mailto:dgdiaz@gmv.com>> wrote:
Hello,
We have a question related with the pw-sha2 module.
We have deployed OpenLDAP2.4.46-9.31.1 on SLES15 SP2 from the official Suse
Repository and we
are able to use {CRYPT} {MD5} {SMD5} {SSHA} and {SHA}.
We are awared that in order to support SHA-256 we have to load the contrib module
named pw-sha2
which it was included on SLES12SP5 but is totally missing on SLES15SP2 package. This
means that
we would need to compile it, but due to limitations of the project we are working on
we are not
allowed to compile anything external.
So I checked the changelog and I found that support was added on 2.4.32 release.
Is it possible that the openldap2 package could have been compiled with the module
features
itself and I just need to add some kind of attribute or entry to my LDAP directory in
order to
enable it?
We have tried to use Apache Directory Studio instead of slappasswd and we have set up
a password
to SHA256 but the bind won't work. Instead, CRYPT-SHA256 works so I can't
figure out why.
I suppose I'm totally misunderstanding this and the compilation of the module is
required, but a
little light ray of hope is there.
Thank you so much.
Regards.
P Please consider the environment before printing this e-mail.
--
Dale James Thompson, NWS
NEXRAD Radar Operations Center
IT Specialist, Configuration Management Team
Voice (405) 573-3472
Fax (405) 573-3480
Dale.J.Thompson(a)noaa.gov <mailto:Dale.J.Thompson@noaa.gov>