Re: [Freeipa-users] passwordStorageScheme
-Original Message- From: Sankar Ramlingam [mailto:sraml...@redhat.com] Sent: Sunday, March 29, 2015 4:35 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] passwordStorageScheme On 03/28/2015 12:32 AM, Andy Thompson wrote: -Original Message- From: Sankar Ramlingam [mailto:sraml...@redhat.com] Sent: Friday, March 27, 2015 2:00 PM To: Andy Thompson Subject: Re: [Freeipa-users] passwordStorageScheme On 03/27/2015 11:17 PM, Andy Thompson wrote: Can you show me the output for this command? ldapsearch -LLL -x -p $PORT -h localhost -D cn=Directory Manager -w x -b cn=config |grep -i passwordStorageScheme Returns passwordStorageScheme: SSHA Also, can you paste me the content of pw.ldif file? and tell me what dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA512 It looks like some whitespace characters in your ldif file. Can you recreate the ldif file with no special/whitespace characters? or can you run ldapmodify from command line and change the value directly? . I copied your ldif file content and it failed for me too. Then, I tried copying my ldif file and it was a success. Pasting the content here... dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA512 EOF Thanks much for the assist. Haven't ever run into that before. Hi Andy, So, I understand it was a problem with the LDIF file. I hope the problem is solved now. Please confirm. Yes the problem is solved. Was just some extra spaces or something not visible to the eye that snuck in when I copied and pasted it from a document I've been compiling on all of my setup and testing. Thanks again -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] passwordStorageScheme
On 03/28/2015 12:32 AM, Andy Thompson wrote: -Original Message- From: Sankar Ramlingam [mailto:sraml...@redhat.com] Sent: Friday, March 27, 2015 2:00 PM To: Andy Thompson Subject: Re: [Freeipa-users] passwordStorageScheme On 03/27/2015 11:17 PM, Andy Thompson wrote: Can you show me the output for this command? ldapsearch -LLL -x -p $PORT -h localhost -D cn=Directory Manager -w x -b cn=config |grep -i passwordStorageScheme Returns passwordStorageScheme: SSHA Also, can you paste me the content of pw.ldif file? and tell me what dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA512 It looks like some whitespace characters in your ldif file. Can you recreate the ldif file with no special/whitespace characters? or can you run ldapmodify from command line and change the value directly? . I copied your ldif file content and it failed for me too. Then, I tried copying my ldif file and it was a success. Pasting the content here... dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA512 EOF Thanks much for the assist. Haven't ever run into that before. Hi Andy, So, I understand it was a problem with the LDIF file. I hope the problem is solved now. Please confirm. Thanks, -Sankar R. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] passwordStorageScheme
Relative newb here :) I'm doing some research trying to sort out the password storage scheme being used on the freeipa LDAP instance. From everything I can find it uses ssha but can be changed to ssha-512. But when I try to change that attribute on the cn=config object like referenced here https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes It comes back with wrong attribute type. I realize that doc points to the RHDS so it might be valid for the ipa ds? So I guess my question is what hash is used by freeipa to store password hashes and is it configurable? *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] passwordStorageScheme
On 03/27/2015 06:21 PM, Andy Thompson wrote: Relative newb here :) I'm doing some research trying to sort out the password storage scheme being used on the freeipa LDAP instance. From everything I can find it uses ssha but can be changed to ssha-512. But when I try to change that attribute on the cn=config object like referenced here https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes It comes back with wrong attribute type. I realize that doc points to the RHDS so it might be valid for the ipa ds? Hi Andy, The value has to be SHA512. Its not SHA-512. /usr/bin/ldapmodify -x -p 1189 -h localhost -D cn=Directory Manager -w X EOF dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA-512 EOF modifying entry cn=config ldap_modify: Operations error (1) additional info: passwordStorageScheme: invalid scheme - SHA-512. Valid schemes are: CLEAR, CRYPT, MD5, SHA, SHA256, SHA384, SHA512, SMD5, SSHA, SSHA256, SSHA384, SSHA512 /usr/bin/ldapmodify -x -p 1189 -h localhost -D cn=Directory Manager -w X EOF dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SHA512 EOF modifying entry cn=config Hope this helps. Thanks, -Sankar R. So I guess my question is what hash is used by freeipa to store password hashes and is it configurable? *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project