Thank you. I found yesterday a ticket for the PBKDF2 feature, https://fedorahosted.org/389/ticket/397. Believe this is what I need so we'll have to find another option as also suggested. Thank you for your response. -- Trevor -----Original Message----- From: William Brown [mailto:wibrown@xxxxxxxxxx] Sent: Monday, March 07, 2016 5:28 PM To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx Subject: [389-users] Re: User Password Hash Support *** This email is from an EXTERNAL sender *** Use caution before responding. DO NOT open attachments or click links from unknown senders or unexpected email. If this email appears to be sent from a BHC employee or department, verify its authenticity before acting or responding. Contact the Helpdesk with any questions. ________________________________ On Thu, 2016-03-03 at 18:19 +0000, Wendt, Trevor wrote: > Is there a way for 389ds to support an ldif import of users with a > password format of "{SHA-256, 10000, 24}<hash_string_87_characters_long>=" ? > > Currently the import is successful but 389ds converts it to an SSHA > format and salt pairing but when trying authenticate with the known > password, account fails. > > Thanks. > Hi, I think that because the hash is unrecognised to 389-ds, it's assuming it needs to "hash the contents of the userPassword string". That's why the passwords end up not working. Where is this {FORMAT ...} defined and coming from? I am assuming it means {ALGO, ROUNDS, SALT LEN}? You should set the hash algo to something like SSHA512 in cn=config (dse.ldif) To do the import, you likely need to: * Get clear text passwords, and let DS do the hashing. * Get password hashes that match what DS is expecting, and then it will "just work.". IE {SSHA512}<hash here>. * Write the plugin that supports your hash format (HARD) * Run up the DS instance with the "broken hashes", then do a password migration style, where when the user auths correctly to the old instance, it sets the password on ds. There is currently an open ticket to enable this password migration functionality natively into DS, but for now you'll have to use something out of band I'm sorry. I hope that this helps. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane ________________________________ This electronic message transmission contains information from Black Hills Corporation, its affiliate or subsidiary, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware the disclosure, copying, distribution or use of the contents of this information is prohibited. If you received this electronic transmission in error, please reply to sender immediately; then delete this message without copying it or further reading. -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
