On 08/16/2018 09:51 AM, rainer@xxxxxxxxxxxxxxx wrote:
Am 2018-08-16 15:33, schrieb Mark Reynolds:
I created a user in 389-ds and exported it and it did not contain
any such hint.
How did you "export" the user? Did you use db2ldif tool?
I used the gui ;-)
I also used the gui (389 management console) to import the export from
the old system.
What is the default algorithm that is used to encrypt passwords?
Depends on what version of 389-ds-base you are using.
389-ds-base-1.3.7.5-24.el7_5.x86_64
In some
versions it is SHA512, in newer versions it's PBKDF2, but the server
supports all of these algorithms (including all the open-ds ones).
How can I switch it to sha512 - and how can I store encrypted
passwords with different algorithms?
You have to reset/change the passwords for them to get rehashed. There
is no way to just convert an existing password as all of these
password hashing algorithms are one way (not reversible).
I meant, how can I import the hashes and tell 389-ds the format?
It doesn't work that way, You have to "change" the password to get it
rehashed to whatever the server is configured to use. Import/exporting
does not do that.
In the current setup, the old sha1 and sha2 passwords can apparently
coexist together at the same time.
Yup that's fine. The server supports most password hashing algos.
I think you are trying to fix a problem that is NOT a problem. :-) There
is nothing wrong with entries having different password storage schemes,
and the server supports all the schemes you previously mentioned.
Everything should just work. Then as passwords get changed they will
get rehashed using the default password storage scheme that is
configured in DS (either SHA512 or PBKDF2).
Mark
I think they have around 9k users in there and the nature of the
client means that they have to contact these people all by snail-mail,
possibly with a registered letter if we ever needed to reset all these
passwords. I'm not 100% sure, but it's a good bet.
This is not something I'd look forward for to explain to the customer....
Best Regards
Rainer
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/23Z7XN5M26NBN7ABE3QIUPUEOYSEY5P7/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/HZLWOBJLFSLSI4AIVVA3KG26RNO2ZBED/
