>>
>> passwordStorageScheme: SSHA512
>>
>> But if passwords are already in PBKDF2, then you will have to reset those
passwords. There is no undoing it without a full reset of the password at this time.
>
> Yes, that's what the docs say, but a simple bind seems to be enough for me. I
tested this and actually I could go back and forth between storage schemes using a simple
bind.
In newer versions we do have a "update password on bind", but I didn't
think it was in that version and I wasn't sure if it downgraded schemes. I guess it
does :-)
It "updates" to the current default scheme, which if you haven't defined
will be PBKDF2, so for most sites it's an "upgrade". But as you note, if you
over-ride this and set your own scheme, on bind, yes it will "downgrade" to the
type you need. IIRC there is actually a test for that exact use case in the integration
test suites ...
> I am very happy with 389ds, its saved my ass...
Great, we really appreciate that!
Awesome! If you have more questions we'd love to hear them :)
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia