Am 2018-08-16 15:33, schrieb Mark Reynolds:
I created a user in 389-ds and exported it and it did not contain any
such hint.
How did you "export" the user? Did you use db2ldif tool?
I used the gui ;-)
I also used the gui (389 management console) to import the export from
the old system.
What is the default algorithm that is used to encrypt passwords?
Depends on what version of 389-ds-base you are using.
389-ds-base-1.3.7.5-24.el7_5.x86_64
In some
versions it is SHA512, in newer versions it's PBKDF2, but the server
supports all of these algorithms (including all the open-ds ones).
How can I switch it to sha512 - and how can I store encrypted
passwords with different algorithms?
You have to reset/change the passwords for them to get rehashed. There
is no way to just convert an existing password as all of these
password hashing algorithms are one way (not reversible).
I meant, how can I import the hashes and tell 389-ds the format?
In the current setup, the old sha1 and sha2 passwords can apparently
coexist together at the same time.
I think they have around 9k users in there and the nature of the client
means that they have to contact these people all by snail-mail, possibly
with a registered letter if we ever needed to reset all these passwords.
I'm not 100% sure, but it's a good bet.
This is not something I'd look forward for to explain to the
customer....
Best Regards
Rainer
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/23Z7XN5M26NBN7ABE3QIUPUEOYSEY5P7/
