Hi list,
we upgrade from1.3.5.15-1.fc24, to 1.3.7.5-24.el7 , this a multi master replication environment we are seeing the paswd encryption for new users in new 389-DS has been changed and is causing some grief , both version have the start of passwd same string :'e1NTSE" , BUT the latest 389-DS e has one additional new line . Is there anything we can do to have same encryption pattern ?
Thank you
here are more details from DS cfg
*389-DS 1.3.5.15 fc 24
dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.1 nsSSL3Ciphers: default allowWeakCipher: off nsKeyfile: alias/slapd-xxxx-key3.db nsCertfile: alias/slapd-xxxx-cert8.d numSubordinates: 1
*and 389-DS 1.3.7.5-24.el7
dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: SSL3.0 nsSSL3Ciphers: default allowWeakCipher: off nsKeyfile: alias/slapd-xxx-key3.db nsCertfile: alias/slapd-xxx-cert8.db CACertExtractFile: /etc/dirsrv/slapd-ldap/xxxxxxxx. pem modifiersName: cn=server,cn=plugins,cn=config modifyTimestamp: 20180801192432Z numSubordinates: 1
________________________________ From: Ghiurea, Isabella Sent: Wednesday, October 31, 2018 10:25 AM To: 389-users@lists.fedoraproject.org Subject: issues with password encryption changes after upgrade
Hi list,
we upgrade from1.3.5.15-1.fc24, to 1.3.7.5-24.el7 , this a multi master replication environment we are seeing the paswd encryption for new users in new 389-DS has been changed and is causing some grief , both version have the start of passwd same string :'e1NTSE" , BUT the latest 389-DS e has one additional new line . Is there anything we can do to have same encryption pattern ?
Thank you
Mark thank you for reply ,
we are running Cent OS 7 with
389-DS 1.3.7.5-24.el7
and getting the following : passwordStorageScheme: SSHA512 should we change the ldap passwd encrytion to: PBKDF2_SHA256 than for 'safety ' reason ?
The grief is caused : we have two systems each with own ldap version, one old ldap(1.3.5 fc24) using SSHA and this new ldap ver using SSHA512 some of users from this one need to be added manually to old ldap and passwd encryption conversion seems to be a issue, I do not have knowledge how to translate for individual users their encrypted passwd from SSHA512 to SSHA ?
________________________________ From: Ghiurea, Isabella Sent: Wednesday, October 31, 2018 11:01 AM To: 389-users@lists.fedoraproject.org Subject: Re: issues with password encryption changes after upgrade
here are more details from DS cfg
*389-DS 1.3.5.15 fc 24
dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.1 nsSSL3Ciphers: default allowWeakCipher: off nsKeyfile: alias/slapd-xxxx-key3.db nsCertfile: alias/slapd-xxxx-cert8.d numSubordinates: 1
*and 389-DS 1.3.7.5-24.el7
dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: SSL3.0 nsSSL3Ciphers: default allowWeakCipher: off nsKeyfile: alias/slapd-xxx-key3.db nsCertfile: alias/slapd-xxx-cert8.db CACertExtractFile: /etc/dirsrv/slapd-ldap/xxxxxxxx. pem modifiersName: cn=server,cn=plugins,cn=config modifyTimestamp: 20180801192432Z numSubordinates: 1
________________________________ From: Ghiurea, Isabella Sent: Wednesday, October 31, 2018 10:25 AM To: 389-users@lists.fedoraproject.org Subject: issues with password encryption changes after upgrade
Hi list,
we upgrade from1.3.5.15-1.fc24, to 1.3.7.5-24.el7 , this a multi master replication environment we are seeing the paswd encryption for new users in new 389-DS has been changed and is causing some grief , both version have the start of passwd same string :'e1NTSE" , BUT the latest 389-DS e has one additional new line . Is there anything we can do to have same encryption pattern ?
Thank you
On 10/31/18 1:25 PM, Ghiurea, Isabella wrote:
Hi list,
we upgrade from1.3.5.15-1.fc24, to 1.3.7.5-24.el7
What platform are you on now? Do you see any errors in the errors log when the server starts up?
, this a multi master replication environment we are seeing the paswd encryption for new users in new 389-DS has been changed and is causing some grief , both version have the start of passwd same string :'e1NTSE" , BUT the latest 389-DS e has one additional new line . Is there anything we can do to have same encryption pattern ?
What do you mean by one additional line?
What is actually breaking and causing you grief?
What does this search return:
ldapsearch -D "cn=directory manager" -xLLL -W -b cn=config -s base objectclass=top passwordStorageScheme
It probably returns:
passwordStorageScheme: PBKDF2_SHA256
This is a more secure hashing algorithm for user passwords than the previous default scheme "SSHA512". You can change the passwordStorageScheme to any scheme you want, but it will be less secure than PBKDF2_SHA256.
Regards,
Mark
Thank you
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org