On Fri, Mar 09, 2012 at 04:06:33PM -0500, Dmitri Pal wrote:
>    As far as I understand underlying DS can also be configured to create
>    weak hashes needed for NIS but it is not recommended. But this is
>    something that gurus should confirm.

The NIS server will serve up password hashes which are compatible with
traditional crypt() if any are found in an entry's userPassword
attribute.  By default, the directory server doesn't create them in this
form (it prefers SSHA, or SSHA256, I guess), but this can be changed by
setting "passwordStorageScheme: CRYPT" in its cn=config entry.

Two things to watch out for, though.

The first is that when you make the change, the directory server starts
generating userPassword values which begin with "{crypt}", but the
default configuration for the NIS server told it to look for values
which began with "{CRYPT}", in a case-sensitive manner, so it wouldn't
match them.  This was corrected in slapi-nis 0.29.  You'll want to
either grab a newer package to pick up the new defaults, or override the
run-time configuration of your copy to match the defaults from later
versions.

The second is that changing your passwordStorageScheme only affects how
the server hashes passwords that will be set after you make the change,
so if you're going to do it, it's better done sooner rather than later.

HTH,

Nalin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to