hello,
i'm trying to implement Ssha512 on my openldap server. i found out that the Building concepts on the www are old. there are nor slapd.conf file. So there is written i have to work with the cn=config file cause. Can someone help me please?
I'm using ubuntu 18.10 and the openldap version slapd.
Thank you
best wishes Ajdar yüsün
--On Monday, April 15, 2019 5:56 PM +0200 "A. Yuesuen" ayuesuen93@gmail.com wrote:
hello,
i'm trying to implement Ssha512 on my openldap server. i found out that the Building concepts on the www are old. there are nor slapd.conf file. So there is written i have to work with the cn=config file cause. Can someone help me please?
I'm using ubuntu 18.10 and the openldap version slapd.
Ubuntu's OpenLDAP builds already provide the pw-ssha2 module, so all you need to do is add it to the moduleload statement and then add it to the frontend database in cn=config.
I.e., as the root user, something like:
ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pw-sha2
ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA512}
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/15/19 4:56 PM, A. Yuesuen wrote:
i'm trying to implement Ssha512 on my openldap server. i found out that the Building concepts on the www are old. there are nor slapd.conf file. So there is written i have to work with the cn=config file cause. Can someone help me please?
I'm using ubuntu 18.10 and the openldap version slapd.
BTW: You can still work with static config slapd.conf.
But the pw-sha2 module is an additional contrib module. So you have to check whether the OpenLDAP packages you're using actually ship this module.
If not an alternative is to use (static config syntax):
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
The salt format is described in man page crypt(3) as follows:
sha512crypt A hash based on SHA-2 with 512-bit output, originally developed by Ulrich Drepper for GNU libc. Supported on Linux but not common elsewhere. Acceptable for new hashes. The default CPU time cost parameter is 5000, which is too low for modern hardware.
Prefix "$6$"
Hashed passphrase format $6$(rounds=[1-9][0-9]+$)?[./0-9A-Za- z]{1,16}$[./0-9A-Za-z]{86}
Maximum passphrase length unlimited
Hash size 512 bits
Salt size 6 to 96 bits
CPU time cost parameter 1000 to 999,999,999
Ciao, Michael.
openldap-technical@openldap.org