Thanks for all of the tips. I am wondering what the best way to modify the ldap (so I can change the password scheme) is. I tried getting the 389-console utility setup to connect but was unsuccesful. Should I just use the command line ldap tools?
On Mar 19, 2010, at 4:43 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Walter Meyer wrote: >> I will see if Salted SHA1 is supported and maybe Google hasn't >> documented it yet. If not, the sync is done with the Google Servers >> over SSL. And if only the Directory Manager can read the >> userPassword attribute, would storing the userPassword attribute in >> SHA1 be that insecure? What scenario could the passwords be >> compromised if I went with this setup? Unless the Directory Manager >> account was compromised wouldn't this be secure if all of the data >> was being transmitted over SSL? >> Also all logins to Google Apps are encrypted with SSL. > > Ok, the SSL usage makes me feel better. Using a weaker password > encryption scheme isn't ideal but if you are protecting transmission > of it you are probably ok. The risk is that if somehow the hash did > get exposed it is relatively easier to crack it than a salted hash. > Risk is something you'll need to weigh specific to your environment, > this may be acceptable. It doesn't make my alarm bells go off but > I'm a pretty laid back guy :-) > > In fact, this would be very cool if it worked. You might want to > file an RFE with the nice folks at Google to see if they'll support > salted hashes if they don't now and potentially move to a more > secure environment later. > > As Simo pointed out you'll want to modify the default password > encryption scheme before adding your users so you don't have to > force round after round of password changes on them. > > If you decide to try it out let us know how it works. > > cheers > > rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users