Hi,
I have a need to create new attribute where to store password in different hash than used in 389ds. This is because 3rd party does not support our SSHA-512. I'm planning to add an attribute, but a couple of basic questions:
1. I have understood it's usually good to avoid creating custom attributes? So is it a good practise to use some unused attribute for this kind of purpose, for example I found "usercertificate".
2. What is the best way to add new attribute to already existing entries, create a script with ldapmodify commands?
-Mr. Vesa Alho
Hi, On 04/02/2013 02:02 PM, Vesa Alho wrote:
Hi,
I have a need to create new attribute where to store password in different hash than used in 389ds. This is because 3rd party does not support our SSHA-512.
You can configure the password policy to use a different storage scheme: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
I'm planning to add an attribute, but a couple of basic questions:
- I have understood it's usually good to avoid creating custom
attributes? So is it a good practise to use some unused attribute for this kind of purpose, for example I found "usercertificate".
No, I wouldn't think so, if you need a custom attribute, you should properly define and use it, just using an other attribute will be confusing
- What is the best way to add new attribute to already existing
entries, create a script with ldapmodify commands?
yes
Ludwig
-Mr. Vesa Alho
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I have a need to create new attribute where to store password in different hash than used in 389ds. This is because 3rd party does not support our SSHA-512.
You can configure the password policy to use a different storage scheme: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Do you mean I should change password hash/salt globally or is there a way to save password in multiple attributes or something? Let's say I have used SSHA-512 so far and then change it to SHA1. Does old passwords remain hashed in SSHA-512 and new or changed passwords are then hashed with SHA1?
No, I wouldn't think so, if you need a custom attribute, you should properly define and use it, just using an other attribute will be confusing
Okay, thanks for clarifying this.
- What is the best way to add new attribute to already existing
entries, create a script with ldapmodify commands?
yes
Thanks for help!
-Mr. Vesa Alho
On 04/02/2013 08:28 AM, Vesa Alho wrote:
I have a need to create new attribute where to store password in different hash than used in 389ds. This is because 3rd party does not support our SSHA-512.
You can configure the password policy to use a different storage scheme: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/...
Do you mean I should change password hash/salt globally or is there a way to save password in multiple attributes or something? Let's say I have used SSHA-512 so far and then change it to SHA1. Does old passwords remain hashed in SSHA-512 and new or changed passwords are then hashed with SHA1?
Yes. Each userPassword value begins with {HASHTYPE} where the HASHTYPE is the hash type e.g. SSHA512, SHA, etc. The global password hash setting tells the directory server which hash to use to _store_ _new_ passwords - it doesn't affect how directory server _compares_ _existing_ password values.
No, I wouldn't think so, if you need a custom attribute, you should properly define and use it, just using an other attribute will be confusing
Okay, thanks for clarifying this.
- What is the best way to add new attribute to already existing
entries, create a script with ldapmodify commands?
yes
Thanks for help!
-Mr. Vesa Alho
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
Ludwig Krispenz -
Rich Megginson -
Vesa Alho