[389-users] Re: User Password Hash Support

On Thu, 2016-03-03 at 18:19 +0000, Wendt, Trevor wrote: Hi, I think that because the hash is unrecognised to 389-ds, it's assuming it needs to "hash the contents of the userPassword string". That's why the passwords end up not working. Where is this {FORMAT ...} defined and coming from? I am assuming it means {ALGO, ROUNDS, SALT LEN}?  You should set the hash algo to something like SSHA512 in cn=config (dse.ldif) To do the import, you likely need to: * Get clear text passwords, and let DS do the hashing.  * Get password hashes that match what DS is expecting, and then it will "just work.". IE {SSHA512}<hash here>. * Write the plugin that supports your hash format (HARD) * Run up the DS instance with the "broken hashes", then do a password migration style, where when the user auths correctly to the old instance, it sets the password on ds. There is currently an open ticket to enable this password migration functionality natively into DS, but for now you'll have to use something out of band I'm sorry.  I hope that this helps.    -- Sincerely, William Brown Software Engineer Red Hat, Brisbane