On Wed, 2018-05-09 at 12:15 +0000, murmansk@xxxxxxxxxxx wrote: > I'm trying to change our Password Storage Scheme to PBKDF2_SHA256 > using the 389 Console, but the scheme is not present in the list. PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS crypto provider. At start up it will drop and error in your logs like "crypto provider not available" or something. It's only available in 1.4.x. on fedora today, and will be supported in a "future version" for EL. The plugin "exists" in 1.3.x because that's where I developed it (against fedora) at the time, but due to a mistake on my part, I allowed it to be configured and built on EL7. For that I apologise. Today, sadly this does mean the strongest hash type is SSHA512 still, but 1.4.x will upgrade this. Please also note that the "config upgrade" mechanism will come into play in 1.3.6 and higher, so if you "omit" password-scheme in cn=config your server will always upgrade to the strongest password hash type available when you yum upgrade - long term this may be better for you as other mechs are added. Thanks, > > When using ldapsearch in "cn=Password Storage > Schemes,cn=plugins,cn=config" this is the result: > dn: cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=MD5,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config > dn: cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config > > This are the versions of the packages that I have installed: > # yum list installed | grep 389 > 389-admin.x86_64 1.1.46-1.el7 @epel > 389-admin-console.noarch 1.1.12-1.el7 @epel > 389-adminutil.x86_64 1.1.21-2.el7 @epel > 389-ds-base.x86_64 1.3.7.5- > 19.el7_5 @rhel_server7 > 389-ds-base-libs.x86_64 1.3.7.5- > 19.el7_5 @rhel_server7 > 389-ds-base-snmp.x86_64 1.3.7.5- > 19.el7_5 @rhel_server7 > 389-ds-console.noarch 1.2.16-1.el7 @epel > > Do I have to do something to enable/install the PBKDF2_SHA256 > password storage scheme? > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
