On 04/02/2013 08:28 AM, Vesa Alho wrote:
I have a need to create new attribute where to store password in
different hash than used in 389ds. This is because 3rd party does not
support our SSHA-512.
You can configure the password policy to use a different storage scheme:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy
Do you mean I should change password hash/salt globally or is there a
way to save password in multiple attributes or something? Let's say I
have used SSHA-512 so far and then change it to SHA1. Does old
passwords remain hashed in SSHA-512 and new or changed passwords are
then hashed with SHA1?
Yes. Each userPassword value begins with {HASHTYPE} where the HASHTYPE
is the hash type e.g. SSHA512, SHA, etc. The global password hash
setting tells the directory server which hash to use to _store_ _new_
passwords - it doesn't affect how directory server _compares_ _existing_
password values.
No, I wouldn't think so, if you need a custom attribute, you should
properly define and use it, just using an other attribute will be
confusing
Okay, thanks for clarifying this.
2. What is the best way to add new attribute to already existing
entries, create a script with ldapmodify commands?
yes
Thanks for help!
-Mr. Vesa Alho
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
