On 05/15/2018 03:19 AM, Marian Rainer-Harbach wrote: > Hi William, > >> PBKDF2_SHA256 does not work on EL7 due to a limitation with the NSS >> crypto provider. At start up it will drop and error in your logs like >> "crypto provider not available" or something. >> >> It's only available in 1.4.x. on fedora today, and will be supported in >> a "future version" for EL. >> >> The plugin "exists" in 1.3.x because that's where I developed it >> (against fedora) at the time, but due to a mistake on my part, I >> allowed it to be configured and built on EL7. For that I apologise. > this is very interesting to me. We had a discussion on PBKDF2_SHA256 on RHEL 7.4 last autumn: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/thread/3SPWGFI7JX4V5U4ACOX4P3BSQVF5XEWB/ > > Does your quote here explain the behavior I saw in our discussion? > > I'm confused now because we still have the PBKDF2_SHA256 plugin enabled on our servers and the Directory Manager password is actually hashed using PBKDF2_SHA256. It does work and I also cannot find any log messages containing "crypto" or "provider". > > We are currently using RHEL 7.5 and 389-ds-base 1.3.7.5-19.el7_5. This does not affect Fedora or RHEL (so you are okay), only epel builds like Centos. The good news is that it is not used by default in 389-ds-base-1.3.x, so nothing is broken out of the box for those platforms. > > Thanks, > Marian > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
