9:12 a.m.
Hi Guys
I need some guidance on this, I configured a ppolicy for a DIT which has
all the users in plain password, I added to following to the policy
changetype: modify
replace: olcPPolicyHashCleartext
olcPPolicyHashCleartext: FALSE
When the user reset it password, it changes from clear password to
encrypted using ssha but I want to store them using md5crypt, what do I
need to change in my configuration?
Thank you very much for your time and support
Regards
9:23 a.m.
Le 25/08/2016 à 18:12, Net Warrior a écrit :
Hi Guys
I need some guidance on this, I configured a ppolicy for a DIT which
has all the users in plain password, I added to following to the policy
changetype: modify
replace: olcPPolicyHashCleartext
olcPPolicyHashCleartext: FALSE
When the user reset it password, it changes from clear password to
encrypted using ssha but I want to store them using md5crypt, what do
I need to change in my configuration?
See olcPasswordHash parameter.
From man slapd-config :
olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used
in generation of user passwords stored in the userPassword attribute
during processing of LDAP
Password Modify Extended Operations (RFC 3062). The
<hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and
{CLEARTEXT}. The default is
{SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
Note that this option does not alter the normal user
applications handling of userPassword during LDAP Add, Modify, or other
LDAP operations. This
setting is only allowed in the frontend entry.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot
10:02 a.m.
Thank you very much for that!! do you know if it support md5crypt or if
there any stong algorithm instead? for example phpldapadmin has it as an
option, but I want to force it.
Best regards
Thanks for your time and support
On 08/25/2016 01:23 PM, Clément OUDOT wrote:
Le 25/08/2016 à 18:12, Net Warrior a écrit :
> Hi Guys
>
> I need some guidance on this, I configured a ppolicy for a DIT which
> has all the users in plain password, I added to following to the policy
>
> changetype: modify
> replace: olcPPolicyHashCleartext
> olcPPolicyHashCleartext: FALSE
>
> When the user reset it password, it changes from clear password to
> encrypted using ssha but I want to store them using md5crypt, what do
> I need to change in my configuration?
>
See olcPasswordHash parameter.
From man slapd-config :
olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used
in generation of user passwords stored in the userPassword attribute
during processing of LDAP
Password Modify Extended Operations (RFC 3062). The
<hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and
{CLEARTEXT}. The default is
{SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
Note that this option does not alter the normal user
applications handling of userPassword during LDAP Add, Modify, or
other LDAP operations. This
setting is only allowed in the frontend entry.
4:46 p.m.
It depends on what your operating system’s crypt(3) supports. Most Linux/Unix system
should support MD5crypt, but that is no longer considered secure (per the original author,
PHK).
If you want to use SHA256crypt you would use:
olcPasswordCryptSaltFormat: $5$%.16s
If you want to use SHA512crypt, then
olcPasswordCryptSaltFormat: $6$%.16s
The SHA2crypt family is discussed more at:
https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme
https://www.akkadia.org/drepper/sha-crypt.html
I’m not sure what the difference/s between SHA2crypt and SSHA2 is/are. Most Linux
distributions use SHA512crypt to secure root’s password in the shadow(5) file if that
means anything.
On Aug 25, 2016, at 13:02, Net Warrior
<netwarrior863(a)gmail.com> wrote:
Thank you very much for that!! do you know if it support md5crypt or if there any stong
algorithm instead? for example phpldapadmin has it as an option, but I want to force it.
Best regards
Thanks for your time and support
On 08/25/2016 01:23 PM, Clément OUDOT wrote:
> Le 25/08/2016 à 18:12, Net Warrior a écrit :
>
>> Hi Guys
>>
>> I need some guidance on this, I configured a ppolicy for a DIT which has all the
users in plain password, I added to following to the policy
>>
>> changetype: modify
>> replace: olcPPolicyHashCleartext
>> olcPPolicyHashCleartext: FALSE
>>
>> When the user reset it password, it changes from clear password to encrypted
using ssha but I want to store them using md5crypt, what do I need to change in my
configuration?
>>
>
> See olcPasswordHash parameter.
>
> From man slapd-config :
>
> olcPasswordHash: <hash> [<hash>...]
> This option configures one or more hashes to be used in generation
of user passwords stored in the userPassword attribute during processing of LDAP
> Password Modify Extended Operations (RFC 3062). The <hash> must
be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is
> {SSHA}.
>
> {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the latter with a
seed.
>
> {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a
seed.
>
> {CRYPT} uses the crypt(3).
>
> {CLEARTEXT} indicates that the new password should be added to
userPassword as clear text.
>
> Note that this option does not alter the normal user applications
handling of userPassword during LDAP Add, Modify, or other LDAP operations. This
> setting is only allowed in the frontend entry.
>
>
>
4:54 p.m.
--On Thursday, August 25, 2016 8:46 PM -0400 David Magda
<dmagda(a)ee.ryerson.ca> wrote:
It depends on what your operating system's crypt(3) supports.
Most
Linux/Unix system should support MD5crypt, but that is no longer
considered secure (per the original author, PHK).
Some crypt implementations are non-portable, so using crypt can be
problematic. Generally with the SSHA2 contrib module, there's not a need
to go the crypt route.
More information at
<https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/pa...
--Quanah
--
Quanah Gibson-Mount
5:19 p.m.
On Aug 25, 2016, at 19:54, Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
--On Thursday, August 25, 2016 8:46 PM -0400 David Magda <dmagda(a)ee.ryerson.ca>
wrote:
> It depends on what your operating system's crypt(3) supports. Most
> Linux/Unix system should support MD5crypt, but that is no longer
> considered secure (per the original author, PHK).
Some crypt implementations are non-portable, so using crypt can be problematic.
Generally with the SSHA2 contrib module, there's not a need to go the crypt route.
More information at
<https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/pa...
True, though if all the OpenLDAP servers are running on some variant of Linux or FreeBSD 9
or newer, then SHA256-crypt and SHA512-crypt should be available. Folks from Sun and IBM
helped with the creation, so Solaris (10u6 and newer) and I’m guessing some versions of
AIX may support it as well (see "/etc/security/pwdalg.cfg”).
Also, unless I’m misreading the C code above (which is entirely possible), it looks like
the sha2.c contrib module only does one iteration of hashing. Whereas the SHA2-based-crypt
algorithm does at least five thousand by default, and can optionally be told to do unto
999,999,999.
Also, straight SHA2, even with salting, is going to fall quite quickly to John the Ripper
and such. The SHA2crypt has been designed specifically to be slow for the purposes of
securely storing password hashes.
6:07 p.m.
Thank you very much for your comments.
Regards
On 08/25/2016 08:54 PM, Quanah Gibson-Mount wrote:
--On Thursday, August 25, 2016 8:46 PM -0400 David Magda
<dmagda(a)ee.ryerson.ca> wrote:
> It depends on what your operating system's crypt(3) supports. Most
> Linux/Unix system should support MD5crypt, but that is no longer
> considered secure (per the original author, PHK).
Some crypt implementations are non-portable, so using crypt can be
problematic. Generally with the SSHA2 contrib module, there's not a
need to go the crypt route.
More information at
<https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/pa...
--Quanah
--
Quanah Gibson-Mount
10:03 a.m.
Thank you very much for that!! do you know if it support md5crypt or if
there any stong algorithm instead? for example phpldapadmin has it as an
option, but I want to force it.
Best regards
Thanks for your time and support
On 08/25/2016 01:23 PM, Clément OUDOT wrote:
Le 25/08/2016 à 18:12, Net Warrior a écrit :
> Hi Guys
>
> I need some guidance on this, I configured a ppolicy for a DIT which
> has all the users in plain password, I added to following to the policy
>
> changetype: modify
> replace: olcPPolicyHashCleartext
> olcPPolicyHashCleartext: FALSE
>
> When the user reset it password, it changes from clear password to
> encrypted using ssha but I want to store them using md5crypt, what do
> I need to change in my configuration?
>
See olcPasswordHash parameter.
From man slapd-config :
olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used
in generation of user passwords stored in the userPassword attribute
during processing of LDAP
Password Modify Extended Operations (RFC 3062). The
<hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and
{CLEARTEXT}. The default is
{SSHA}.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
Note that this option does not alter the normal user
applications handling of userPassword during LDAP Add, Modify, or
other LDAP operations. This
setting is only allowed in the frontend entry.
10:08 a.m.
--On Thursday, August 25, 2016 3:03 PM -0300 Net Warrior
<netwarrior863(a)gmail.com> wrote:
Thank you very much for that!! do you know if it support md5crypt or
if
there any stong algorithm instead? for example phpldapadmin has it as an
Use the contrib SSHA2 module. I personally use SSHA512 in my deployments.
--Quanah
--
Quanah Gibson-Mount
10:33 a.m.
Thank you very much.
Regards
On 08/25/2016 02:08 PM, Quanah Gibson-Mount wrote:
--On Thursday, August 25, 2016 3:03 PM -0300 Net Warrior
<netwarrior863(a)gmail.com> wrote:
> Thank you very much for that!! do you know if it support md5crypt or if
> there any stong algorithm instead? for example phpldapadmin has it as an
Use the contrib SSHA2 module. I personally use SSHA512 in my
deployments.
--Quanah
--
Quanah Gibson-Mount
5:27 a.m.
Quanah Gibson-Mount wrote:
--On Thursday, August 25, 2016 3:03 PM -0300 Net Warrior
<netwarrior863(a)gmail.com> wrote:
> Thank you very much for that!! do you know if it support md5crypt or if
> there any stong algorithm instead? for example phpldapadmin has it as an
Use the contrib SSHA2 module. I personally use SSHA512 in my deployments.
It only does one iteration which is considered fast to crack today.
Ciao, Michael.
1683
days inactive
1693
days old
openldap-technical@openldap.org
10 comments
5 participants
participants (5)
-
Clément OUDOT -
David Magda -
Michael Ströder -
Net Warrior -
Quanah Gibson-Mount