Am 2018-08-16 15:58, schrieb Mark Reynolds:
On 08/16/2018 09:51 AM, rainer@xxxxxxxxxxxxxxx wrote:
How can I switch it to sha512 - and how can I store encrypted
passwords with different algorithms?
You have to reset/change the passwords for them to get rehashed.
There
is no way to just convert an existing password as all of these
password hashing algorithms are one way (not reversible).
So, 389-ds can't use the current hashes?
I meant, how can I import the hashes and tell 389-ds the format?
It doesn't work that way, You have to "change" the password to get it
rehashed to whatever the server is configured to use. Import/exporting
does not do that.
In the current setup, the old sha1 and sha2 passwords can apparently
coexist together at the same time.
Yup that's fine. The server supports most password hashing algos.
I think you are trying to fix a problem that is NOT a problem. :-)
There is nothing wrong with entries having different password storage
schemes, and the server supports all the schemes you previously
mentioned. Everything should just work. Then as passwords get
changed they will get rehashed using the default password storage
scheme that is configured in DS (either SHA512 or PBKDF2).
I'll try to use the ldif2db tool...
https://www.spinics.net/linux/fedora/389-users/msg16789.html
I didn't know this existed.
Thanks for your input so far.
Best Regards
Rainer
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/XC5BUFN45TVHTJU7PZP6EGUM6BSAVXFR/
