On 03/27/2015 06:21 PM, Andy Thompson wrote:
Relative newb here :) I'm doing some research trying to sort out the password 
storage scheme being used on the freeipa LDAP instance.  From everything I can 
find it uses ssha but can be changed to ssha-512.  But when I try to change 
that attribute on the cn=config object like referenced here 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes

It comes back with wrong attribute type.  I realize that doc points to the RHDS 
so it might be valid for the ipa ds?
Hi Andy,

The value has to be SHA512. Its not SHA-512.

/usr/bin/ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w XXXXX << EOF
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: SHA-512
> EOF
modifying entry "cn=config"
ldap_modify: Operations error (1)
additional info: passwordStorageScheme: invalid scheme - SHA-512. Valid schemes are: CLEAR, CRYPT, MD5, SHA, SHA256, SHA384, SHA512, SMD5, SSHA, SSHA256, SSHA384, SSHA512

/usr/bin/ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w XXXXX << EOF
dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: SHA512
EOF

modifying entry "cn=config"


Hope this helps.

Thanks,
-Sankar R.

So I guess my question is what hash is used by freeipa to store password hashes 
and is it configurable?


*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to