Jan-Frode Myklebust wrote:
On Tue, Sep 20, 2011 at 09:59:16AM -0400, Dmitri Pal wrote:


        Password Hash Algorithm
        -------------------------
        Indicates the algorithm that the system should use to hash the password.
        Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE
        or no value indicates that the system will not hash passwords. This will
        cause cleartext passwords to be stored in LDAP unless the LDAP server
        performs the hash (Netscape Directory Server and iPlanet Directory
        Server do).

Will the ipa-migration handle any of these formats ? Which would be the
preferred ?

I am not sure it keeps it in clear internally anywhere. Password is
always hashed unless you explicitly set it to be cleartext in the
setting above.

Are you stating that based on knowledge of Sun Identity Manager? As far
as I understand SIM, I should be able to add new managed "resources"
(directories, databases, servers, etc) at a later point and push my
userdatabase to. For that to work, SIM will have to either hash to all
supported hashing methods (including cleartext??) or just keep a
cleartext version hidden somewhere.

I think he was referring to 389-ds. IPA migration grabs the raw userPassword attribute from the remote LDAP server to create the entry in 389-ds.

For the hash types that 389-ds supports look for passwordStorageScheme in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to