It depends on what your operating system’s crypt(3) supports. Most Linux/Unix system
should support MD5crypt, but that is no longer considered secure (per the original author,
PHK).
If you want to use SHA256crypt you would use:
olcPasswordCryptSaltFormat: $5$%.16s
If you want to use SHA512crypt, then
olcPasswordCryptSaltFormat: $6$%.16s
The SHA2crypt family is discussed more at:
https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme
https://www.akkadia.org/drepper/sha-crypt.html
I’m not sure what the difference/s between SHA2crypt and SSHA2 is/are. Most Linux
distributions use SHA512crypt to secure root’s password in the shadow(5) file if that
means anything.
On Aug 25, 2016, at 13:02, Net Warrior
<netwarrior863(a)gmail.com> wrote:
Thank you very much for that!! do you know if it support md5crypt or if there any stong
algorithm instead? for example phpldapadmin has it as an option, but I want to force it.
Best regards
Thanks for your time and support
On 08/25/2016 01:23 PM, Clément OUDOT wrote:
> Le 25/08/2016 à 18:12, Net Warrior a écrit :
>
>> Hi Guys
>>
>> I need some guidance on this, I configured a ppolicy for a DIT which has all the
users in plain password, I added to following to the policy
>>
>> changetype: modify
>> replace: olcPPolicyHashCleartext
>> olcPPolicyHashCleartext: FALSE
>>
>> When the user reset it password, it changes from clear password to encrypted
using ssha but I want to store them using md5crypt, what do I need to change in my
configuration?
>>
>
> See olcPasswordHash parameter.
>
> From man slapd-config :
>
> olcPasswordHash: <hash> [<hash>...]
> This option configures one or more hashes to be used in generation
of user passwords stored in the userPassword attribute during processing of LDAP
> Password Modify Extended Operations (RFC 3062). The <hash> must
be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is
> {SSHA}.
>
> {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a
seed.
>
> {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a
seed.
>
> {CRYPT} uses the crypt(3).
>
> {CLEARTEXT} indicates that the new password should be added to
userPassword as clear text.
>
> Note that this option does not alter the normal user applications
handling of userPassword during LDAP Add, Modify, or other LDAP operations. This
> setting is only allowed in the frontend entry.
>
>
>