Thank you. I found yesterday a ticket for the PBKDF2 feature,
https://fedorahosted.org/389/ticket/397. Believe this is what I need so we'll have to
find another option as also suggested. Thank you for your response.
-- Trevor
-----Original Message-----
From: William Brown [mailto:wibrown@redhat.com]
Sent: Monday, March 07, 2016 5:28 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] Re: User Password Hash Support
*** This email is from an EXTERNAL sender *** Use caution before responding. DO NOT open
attachments or click links from unknown senders or unexpected email. If this email appears
to be sent from a BHC employee or department, verify its authenticity before acting or
responding. Contact the Helpdesk with any questions.
________________________________
On Thu, 2016-03-03 at 18:19 +0000, Wendt, Trevor wrote:
Is there a way for 389ds to support an ldif import of users with a
password format of "{SHA-256, 10000,
24}<hash_string_87_characters_long>=" ?
Currently the import is successful but 389ds converts it to an SSHA
format and salt pairing but when trying authenticate with the known
password, account fails.
Thanks.
Hi,
I think that because the hash is unrecognised to 389-ds, it's assuming it needs to
"hash the contents of the userPassword string". That's why the passwords end
up not working.
Where is this {FORMAT ...} defined and coming from? I am assuming it means {ALGO, ROUNDS,
SALT LEN}?
You should set the hash algo to something like SSHA512 in cn=config (dse.ldif)
To do the import, you likely need to:
* Get clear text passwords, and let DS do the hashing.
* Get password hashes that match what DS is expecting, and then it will "just
work.". IE {SSHA512}<hash here>.
* Write the plugin that supports your hash format (HARD)
* Run up the DS instance with the "broken hashes", then do a password migration
style, where when the user auths correctly to the old instance, it sets the password on
ds.
There is currently an open ticket to enable this password migration functionality natively
into DS, but for now you'll have to use something out of band I'm sorry.
I hope that this helps.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
________________________________
This electronic message transmission contains information from Black Hills Corporation,
its affiliate or subsidiary, which may be confidential or privileged. The information is
intended to be for the use of the individual or entity named above. If you are not the
intended recipient, be aware the disclosure, copying, distribution or use of the contents
of this information is prohibited. If you received this electronic transmission in error,
please reply to sender immediately; then delete this message without copying it or further
reading.