Use a stronger password hash function for LDAP users #88

New issue

Closed

opened 2022-01-06 01:11:44 +00:00 by a · 4 comments

a commented 2022-01-06 01:11:44 +00:00

Owner

Copy link

We're currently using the default hash function for OpenLDAP, salted SHA1 which isn't blatantly insecure but still breakable with modern hardware. I can't convert all of our existing passwords to the new hash function though since I (obviously) don't have the plaintext passwords stored anywhere.

We're currently using the default hash function for OpenLDAP, salted SHA1 which isn't blatantly insecure but still breakable with modern hardware. I can't convert all of our existing passwords to the new hash function though since I (obviously) don't have the plaintext passwords stored anywhere.

a added the

enhancement

help wanted

security

labels 2022-01-06 01:11:44 +00:00

a added this to the (deleted) project 2022-01-06 01:11:44 +00:00

a commented 2022-01-18 00:36:03 +00:00

Author

Owner

Copy link

See this: https://rolandslinuxblog.wordpress.com/2016/09/11/password-encryption-in-openldap/

See this: https://rolandslinuxblog.wordpress.com/2016/09/11/password-encryption-in-openldap/

a commented 2022-01-18 02:13:58 +00:00

Author

Owner

Copy link

I couldn't get that to work, will try again later.

I couldn't get that to work, will try again later.

a commented 2022-01-18 18:00:32 +00:00

Author

Owner

Copy link

Fixed, we now use SHA512. You can change your password to save it using this new hash.

Fixed, we now use SHA512. You can change your password to save it using this new hash.

a closed this issue 2022-01-18 18:00:32 +00:00

a commented 2022-01-18 18:22:08 +00:00

Author

Owner

Copy link

WHY OPENLDAP???? Why must you be so confusing? The olcPasswordHash thing is in the frontend database yet the very similar olcPasswordCryptSaltFormat is in the global config. Why? If it weren't for this man page to save me...

WHY OPENLDAP???? Why must you be so confusing? The `olcPasswordHash` thing is in the frontend database yet the very similar `olcPasswordCryptSaltFormat` is in the global config. Why? If it weren't for this [man page](https://man.archlinux.org/man/core/openldap/slapd-config.5.en) to save me...

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v9.0

v8.8

v8.7

v8.6

v8.5

v8.4

v8.3

v8.2

v8.1

v8.0

v7.10

v7.9

v7.8

v7.7

v7.6

v7.5

v7.4

v7.3

v7.2

v7.1

v7.0

v6.1

v6.0

v5.1

v5.0

v4.2

v4.1

v4.0

v3.0

v2.5

v2.4

v2.3

v2.2

v2.1

v2.0

v1.3

v1.2

v1.1

v1.0

v0.3-beta

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

Security vulnerability

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#88

No description provided.