On Thu, 2016-03-03 at 18:19 +0000, Wendt, Trevor wrote:
Is there a way for 389ds to support an ldif import of users with a
password
format of "{SHA-256, 10000, 24}<hash_string_87_characters_long>=" ?
Currently the import is successful but 389ds converts it to an SSHA format and
salt pairing but when trying authenticate with the known password, account
fails.
Thanks.
Hi,
I think that because the hash is unrecognised to 389-ds, it's assuming it needs
to "hash the contents of the userPassword string". That's why the passwords
end
up not working.
Where is this {FORMAT ...} defined and coming from? I am assuming it means {ALGO,
ROUNDS, SALT LEN}?
You should set the hash algo to something like SSHA512 in cn=config (dse.ldif)
To do the import, you likely need to:
* Get clear text passwords, and let DS do the hashing.
* Get password hashes that match what DS is expecting, and then it will "just
work.". IE {SSHA512}<hash here>.
* Write the plugin that supports your hash format (HARD)
* Run up the DS instance with the "broken hashes", then do a password migration
style, where when the user auths correctly to the old instance, it sets the
password on ds.
There is currently an open ticket to enable this password migration functionality
natively into DS, but for now you'll have to use something out of band I'm
sorry.
I hope that this helps.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane