El 2/12/19 a les 1:15, William Brown ha escrit:
>
>
>> On 30 Nov 2019, at 03:50, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote:
>>
>
>> This is the expected behavior. We now automatically upgrade password storage schemes to PBKDF2 in 1.4.2 - which is the strongest hashing algorithm we offer. MD5 is not considered secure anymore. You can disable this "hash upgrade" feature by setting: nsslapd-enable-upgrade-hash to "off" under cn=config
>
> To echo what Mark has said here, MD5 today should be considered as equivalent to "cleartext" storage. Generally any storage scheme less than SSHA512 should not be used for a variety of security and compliance reasons.
>
> If you are using MD5 for one of the SASL MD5 mechanisms, these are also considered insecure, and you should opt for LDAPS (TLS) with simple bind or SASL-PLAIN instead.
>
Mark and William, thank you very much for your kind answers.
I was adding the users using this perl code:
my $apr=Authen::Passphrase::SaltedDigest->new(
passphrase => $password
, algorithm => "MD5");
my $userPassword = $apr->as_rfc2307()
Then matching with that:
Authen::Passphrase->from_rfc2307($password_ldap)->match($password);
I see know I have to use another algorithm like SSHA512 instead MD5 and
use PBKDF2 as storage scheme instead rfc2307. But that is not 389
related.
Anyway congratulations for this directory server project and thank
you for your fast and nice support.
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
