Am 2018-08-16 15:58, schrieb Mark Reynolds:
On 08/16/2018 09:51 AM, rainer(a)ultra-secure.de wrote:
>>> How can I switch it to sha512 - and how can I store
encrypted
>>> passwords with different algorithms?
>> You have to reset/change the passwords for them to get rehashed.
>> There
>> is no way to just convert an existing password as all of these
>> password hashing algorithms are one way (not reversible).
So, 389-ds can't use the current hashes?
> I meant, how can I import the hashes and tell 389-ds the format?
It doesn't work that way, You have to "change" the password to get it
rehashed to whatever the server is configured to use. Import/exporting
does not do that.
> In the current setup, the old sha1 and sha2 passwords can apparently
> coexist together at the same time.
Yup that's fine. The server supports most password hashing algos.
I think you are trying to fix a problem that is NOT a problem. :-)
There is nothing wrong with entries having different password storage
schemes, and the server supports all the schemes you previously
mentioned. Everything should just work. Then as passwords get
changed they will get rehashed using the default password storage
scheme that is configured in DS (either SHA512 or PBKDF2).
I'll try to use the ldif2db tool...
https://www.spinics.net/linux/fedora/389-users/msg16789.html
I didn't know this existed.
Thanks for your input so far.
Best Regards
Rainer