Chris Whittle wrote:
> We are looking at ONELogin as well as OKTA for our SSO to work with
> FreeIPA.  
> The way they integrate with LDAP is a little different.
> The question I have is how does FreeIPA support SHA or SSHA for password
> encryption?
> *From One Login's help doc on LDAP*
> *--password-crypt: *Defines the cryptographic method used to store new
> passwords to your Ldap Server when a user changes his password on the
> OneLogin Web UI. Currently only SHA an SSHA are supported, SHA is the
> default value

This sounds rather strange to me. It sounds like it is going to
pre-encrypt the password and send the hash. For IPA to work it would
need to send the password in the clear (over GSSAPI or TLS of course) so
that we can generate the Kerberos keys as well.

389-ds only accepts pre-encrypted hashes in certain cases anyway (it
differs by version).

You can look in cn=Password Storage Schemes,cn=plugins,cn=config for the
list of available password hashes. Both SSHA and SHA are included by


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to