Am 2018-08-16 15:33, schrieb Mark Reynolds:
> I created a user in 389-ds and exported it and it did not contain
> such hint.
How did you "export" the user? Did you use db2ldif tool?
I used the gui ;-)
I also used the gui (389 management console) to import the export from
the old system.
> What is the default algorithm that is used to encrypt passwords?
Depends on what version of 389-ds-base you are using.
versions it is SHA512, in newer versions it's PBKDF2, but the server
supports all of these algorithms (including all the open-ds ones).
> How can I switch it to sha512 - and how can I store encrypted
> passwords with different algorithms?
You have to reset/change the passwords for them to get rehashed. There
is no way to just convert an existing password as all of these
password hashing algorithms are one way (not reversible).
I meant, how can I import the hashes and tell 389-ds the format?
In the current setup, the old sha1 and sha2 passwords can apparently
coexist together at the same time.
I think they have around 9k users in there and the nature of the client
means that they have to contact these people all by snail-mail, possibly
with a registered letter if we ever needed to reset all these passwords.
I'm not 100% sure, but it's a good bet.
This is not something I'd look forward for to explain to the