On Thu, Mar 16, 2023 at 10:08 AM Quanah Gibson-Mount
<qua...@fast-mail.org> wrote:
>
> --On Saturday, March 11, 2023 7:51 PM +0100 Stefan Kania
> <ste...@kania-online.de> wrote:
>
> > For a rootdn
> > -------------------
> > dn: olcDatabase={2}mdb,cn=config
> > changetype: modify
> > replace: olcRootPW
> > olcRootPW:
> > {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$ZGJmZ2lrbmpiZHZzZ3NhdmRzZw$J6eXYSxY4
> > tDs4l8SdBkIwcAU0OqEEdR0gpFNJ5MSqQs
> > -------------------
>
> This makes sense, since you can't use the ldapv3 password modify operation
> to update this password value.
>
> > and a posix or simpleSecurityObject:
> > -------------------
> > dn: uid=repl-user,ou=users,dc=example,dc=net
> > changetype: modify
> > replace: userPassword
> > userPassword:
> > {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNsYXQ5ODc2NTQzMg$Td51W49s0X74o
> > m++/EnMRsP4La3x46KufcGGY01T8+M
> > -------------------
>
> This doesn't make sense. You should be using an ldapv3 password modify
> operation on the user account in question and letting the server do the
> hashing (and also allows password policies, if deployed, to be used).
If I understand things correctly... The server does not hash the
password. The server never gets to see the plaintext password.
See https://www.postgresql.org/message-id/379034.1673389287%40sss.pgh.pa.us .
Jeff
