On Tue, Mar 04, 2025 at 07:48:41AM +0000, Windl, Ulrich wrote:
> Hi!
>
> After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new
> default hashing schema, but I fail to do so using
>
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {SSHA256}
> olcPasswordHash: {SSHA}
>
> ----
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Object class violation (65)
> additional info: attribute 'olcPasswordHash' not allowed
>
> Before I had tried "replace" instead of "add", and I tried to place
> both values in one line as suggested by slapd-config:
> olcPasswordHash: <hash> [<hash>...]
> This option configures one or more hashes to be used in
> generation of user passwords stored in the userPassword
> attribute during processing of LDAP Password Modify Extended
> Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
> {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
>
> The manual page also states:
> This setting is only allowed in the frontend entry.
Not sure, sounds like a typo somewhere but I would question the need to
add more than one olcPasswordHash BTW. It specifies what hash will be
used to hash a new password, it is *not* used to specify the hashes that
the server understands (that's achieved by loading the appropriate
module as you've done already).
If you put 2 hashes in there and send a password modify, the user will
now have 2 userPassword values (the same password hashed with both),
that's rarely useful and for instance the ppolicy overlay very much
doesn't like that situation.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
