Actually I just upgrade the system from centos7 to almalinux9 using elevate. Essentially this is similar to a copy of the /etc/dirsrv and /var/lib/dirsrv directories and started the new ldapserver. Directly afterwards I was not able to login using the cn=Directory Manager. I checked the hashed password in the dse.ldif file (cn=config) using pwdhash. It was ok. Once I changed the password of the directory manager in the dse.ldif file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory Manager was able to login. Other users required a reset of their password as well for successful login. But since I do not have access to all passwords I would rather reuse the old tree. The nsslapd-allow-hashed-passwords is set to on. Therefore I doubt that I have double hashed passwords. For the case of the Directory Manager I am positive. And yes, dsconf lists SSHA in my case as well. Any ideas why this is not working?
My passwordpolicy is quite open: Global Password Policy: cn=config ------------------------------------ nsslapd-pwpolicy-local: off passwordstoragescheme: SSHA512 passwordchange: on passwordmustchange: off passwordhistory: off passwordinhistory: 6 passwordadmindn: passwordtrackupdatetime: off passwordwarning: 86400 passwordisglobalpolicy: off passwordexp: off passwordmaxage: 8640000 passwordminage: 0 passwordgracelimit: 0 passwordsendexpiringtime: off passwordlockout: off passwordunlock: on passwordlockoutduration: 3600 passwordmaxfailure: 3 passwordresetfailurecount: 600 passwordchecksyntax: off passwordminlength: 8 passwordmindigits: 0 passwordminalphas: 0 passwordminuppers: 0 passwordminlowers: 0 passwordminspecials: 0 passwordmin8bit: 0 passwordmaxrepeats: 0 passwordmincategories: 3 passwordmintokenlength: 3 nsslapd-allow-hashed-passwords: on nsslapd-pwpolicy-inherit-global: off Kind regards, Ralf Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov < vashi...@redhat.com>: > Hi Ralf, > > > On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg <rspenneb...@gmail.com> > wrote: > >> Hi there, >> I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to 2.4.5 >> (almalinux9). After migrating the tree all passwords stop working including >> the Directory Manager. The old tree used SSHA. Setting the >> rootpwstoragescheme does not help for the Directory Manager. Only manually >> resetting the passwords using pwdhash in the dse.ldif file and using a >> PBKDF2-SHA512 password works. Is there a way to enable the old SSHA scheme? >> > SSHA is still supported in the latest 389-DS: > # dsconf localhost pwpolicy list-schemes | grep SSHA > SSHA > SSHA256 > SSHA384 > SSHA512 > > How did you perform the migration? Via replication or export/import? > What is the value of nsslapd-allow-hashed-passwords in cn=config? > I suspect that your passwords after the migration might be doubly hashed > instead of imported as is. > > >> Kind regards, >> Ralf >> -- >> _______________________________________________ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > Viktor > -- > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
