Re: How do I change the root password storage scheme to CRYPT-SHA512 through dsconf?

Mark Reynolds <mreynolds@xxxxxxxxxx> · Fri, 16 Apr 2021 10:16:48 -0400

On 4/16/21 3:04 AM, spike wrote:

Hi everyone,

I'd like to change the default root password storage scheme from 
PBKDF2_SHA256 to CRYPT-SHA512 but I'm not having much success. I'm 
using the RHDS 11 documentation 
(https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#change_directory_manager_storage_scheme-CLI) 
as a reference since the 389ds documentation page 
(https://directory.fedoraproject.org/docs/389ds/documentation.html) 
refers to that as "The best documentation for use and deployment". The 
389ds version is 1.4.4.15 which should correspond with RHDS 11.

Looks like we have a doc bug :-(

This is the procedure:

dsconf slapd-YOUR_INSTANCE config replace 
nsslapd-rootpwstoragescheme=CRYPT-SHA512

dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this 
will prompt you for the new password

That should do it.

HTH,

Mark

What I've tried:

# mkpasswd -m sha512crypt secret
$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/ 

# dsconf localhost config replace 
nsslapd-rootpwstoragescheme=CRYPT-SHA512 
nsslapd-rootpw="{crypt}$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpwstoragescheme"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpw"

Which results in me being unable to log in (bind non-anonymously). 
I've also tried:

# dsconf localhost config replace 
nsslapd-rootpwstoragescheme=CRYPT-SHA512 
nsslapd-rootpw="{CRYPT-SHA512}$6$gOiCU3fNsdrH9.mR$fVxs..."

and

# dsconf localhost config replace 
nsslapd-rootpwstoragescheme=CRYPT-SHA512 
nsslapd-rootpw="$6$gOiCU3fNsdrH9.mR$fVxs..."

which were also unsuccessful (login not possible).

Setting a `CRYPT-SHA512` password though the 389ds cockpit UI plugin 
works fine though, so I'm pretty sure I'm just not getting the syntax 
for `dsconf` correctly.

Any pointers are greatly appreciated.

Cheers!
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure