The general weakness of SHA has been understood for some time, although
progress advances on finding collisions (Such as
<https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html?m=1>).
I think it would be wise to update OpenLDAP to a different default for
userPassword. We currently have the Contrib SHA2 module, and there's a
nice bcrypt(*) module on Github (I asked the author if they would be
willing to contribute it, but they seem to have gone silent).
It may be time to move the SHA2 module into core, but there has been some
discussion of the limitations of the current SHA2 module in the past that
would likely need addressing.
What do other folks think?
* <https://github.com/wclarie/openldap-bcrypt/issues/1>
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
