Hi everybody,
Thank you for your answer.
You should challenge this stupid policy. Not only because of password
hashing, but also because release 2.4.46 is three years old. Newer OpenLDAP releases have
many important fixes.
Well we are not allowed to challenge any policy due to the sensitive nature of the
project.
Thus for my customers I'm maintaining own builds e.g. for
SLE15SP2 which install in a different prefix. Feel free to use that or branch from that to
your own OBS project:
Thank you, appreciated. But as I told you, we are not allowed to use any external source
that is not included and audited previously by a special security entity.
The current version from SUSE is 2.4.46-9.48.1, BTW. If you have
support, why not ask SUSE?
Yes, we have asked but we are still waiting for an answer.
password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=20000$%.16s"
Thank you so much for the tip, we will evaluate it.
There is a slightly sneaky way to get openldap to support any crypt
the native OS will support with the {CRYPT} option. Change the openldap option
password-crypt-salt-format.
On my servers the value is set to "$6$%.8s" which gives the result of using
sha512 (one of several sha2 choices). This trick will depend on which choices are built
into your native
OS crypt function. In theory look at the crypt(5) man page to find this information.
We've been doing this locally for probably a decade and it works well.
Thank you so much for this. It seems it's working flawlessly.
Regards!
-----Mensaje original-----
De: Michael Ströder [mailto:michael@stroeder.com]
Enviado el: jueves, 18 de marzo de 2021 16:47
Para: openldap-technical(a)openldap.org
Asunto: Re: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2
On 3/18/21 8:32 AM, Dario García Díaz-Miguel wrote:
We are awared that in order to support SHA-256 we have to load the
contrib module named pw-sha2 which it was included on SLES12SP5 but is
totally missing on SLES15SP2 package.
Note that SUSE announced not to support OpenLDAP server packages anymore. This might be a
fallout of this decision.
This means that we would need to compile it, but due to limitations
of
the project we are working on we are not allowed to compile anything
external.
You should challenge this stupid policy. Not only because of password hashing, but
also because release 2.4.46 is three years old. Newer OpenLDAP releases have many
important fixes.
Thus for my customers I'm maintaining own builds e.g. for SLE15SP2 which install in a
different prefix. Feel free to use that or branch from that to your own OBS project:
https://urldefense.com/v3/__https://build.opensuse.org/package/show/home:...
https://urldefense.com/v3/__https://download.opensuse.org/repositories/ho...
More important you should be aware that {SHA256} password hash scheme is really weak.
Because SHA-2 are fast and only one hash round is applied.
Another option you should be able to directly use is {CRYPT} as Dale already mentioned in
his answer.
In my Æ-DIR's default config I'm currently using
password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=20000$%.16s"
See man page crypt(5) to find that $6$ is sha512crypt and I'm using
20000 rounds. This is better than a simple SHA-2 hash.
Caveat: {CRYPT} hashes are not portable. But most modern Linuxes support this since
several years.
Ciao, Michael.
P Please consider the environment before printing this e-mail.