Am 2018-08-16 15:33, schrieb Mark Reynolds:
>> I created a user in 389-ds and exported it and it did not contain any
>> such hint.
> How did you "export" the user? Did you use db2ldif tool?
>>
I used the gui ;-)
I also used the gui (389 management console) to import the export from
the old system.
>> What is the default algorithm that is used to encrypt passwords?
> Depends on what version of 389-ds-base you are using.
389-ds-base-1.3.7.5-24.el7_5.x86_64
> In some
> versions it is SHA512, in newer versions it's PBKDF2, but the server
> supports all of these algorithms (including all the open-ds ones).
>> How can I switch it to sha512 - and how can I store encrypted
>> passwords with different algorithms?
> You have to reset/change the passwords for them to get rehashed. There
> is no way to just convert an existing password as all of these
> password hashing algorithms are one way (not reversible).
I meant, how can I import the hashes and tell 389-ds the format?
In the current setup, the old sha1 and sha2 passwords can apparently
coexist together at the same time.
I think they have around 9k users in there and the nature of the client
means that they have to contact these people all by snail-mail, possibly
with a registered letter if we ever needed to reset all these passwords.
I'm not 100% sure, but it's a good bet.
This is not something I'd look forward for to explain to the
customer....
Best Regards
Rainer
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/23Z7XN5M26NBN7ABE3QIUPUEOYSEY5P7/
No comments:
Post a Comment