Walter Meyer wrote:
Thanks for all of the tips. I am wondering what the best way to modify
the ldap (so I can change the password scheme) is. I tried getting the
389-console utility setup to connect but was unsuccesful. Should I
just use the command line ldap tools?

We don't configure things so the console will work. You'll need to use the LDAP command-line tools.

Something like:

% ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
add: passwordStorageScheme
passwordStorageScheme: <YOUR_SCHEME>

I'm assuming that you don't already have a scheme specified, the default.


On Mar 19, 2010, at 4:43 PM, Rob Crittenden <> wrote:

Walter Meyer wrote:
I will see if Salted SHA1 is supported and maybe Google hasn't
documented it yet. If not, the sync is done with the Google Servers
over SSL. And if only the Directory Manager can read the
userPassword attribute, would storing the userPassword attribute in
SHA1 be that insecure? What scenario could the passwords be
compromised if I went with this setup? Unless the Directory Manager
account was compromised wouldn't this be secure if all of the data
was being transmitted over SSL?
Also all logins to Google Apps are encrypted with SSL.
Ok, the SSL usage makes me feel better. Using a weaker password
encryption scheme isn't ideal but if you are protecting transmission
of it you are probably ok. The risk is that if somehow the hash did
get exposed it is relatively easier to crack it than a salted hash.
Risk is something you'll need to weigh specific to your environment,
this may be acceptable. It doesn't make my alarm bells go off but
I'm a pretty laid back guy :-)

In fact, this would be very cool if it worked. You might want to
file an RFE with the nice folks at Google to see if they'll support
salted hashes if they don't now and potentially move to a more
secure environment later.

As Simo pointed out you'll want to modify the default password
encryption scheme before adding your users so you don't have to
force round after round of password changes on them.

If you decide to try it out let us know how it works.



Freeipa-users mailing list

Reply via email to