Thursday, August 16, 2018

[389-users] Re: Importing users from open-ds

On 08/16/2018 10:09 AM, rainer@ultra-secure.de wrote:
> Am 2018-08-16 15:58, schrieb Mark Reynolds:
>> On 08/16/2018 09:51 AM, rainer@ultra-secure.de wrote:
>
>>>>> How can I switch it to sha512 - and how can I store encrypted
>>>>> passwords with different algorithms?
>>>> You have to reset/change the passwords for them to get rehashed. There
>>>> is no way to just convert an existing password as all of these
>>>> password hashing algorithms are one way (not reversible).
>
> So, 389-ds can't use the current hashes?
Sorry if I'm not being clear.  389-ds-base supports all the password
hashing algorithms that open-ds does.  Everything should work as is. 
But there is no way to automatically convert existing password hashes
into different hashes, but it's okay because the server supports all the
hashes you are using.
>
>>> I meant, how can I import the hashes and tell 389-ds the format?
>> It doesn't work that way,  You have to "change" the password to get it
>> rehashed to whatever the server is configured to use. Import/exporting
>> does not do that.
>>> In the current setup, the old sha1 and sha2 passwords can apparently
>>> coexist together at the same time.
>> Yup that's fine.  The server supports most password hashing algos.
>>
>> I think you are trying to fix a problem that is NOT a problem. :-)
>> There is nothing wrong with entries having different password storage
>> schemes, and the server supports all the schemes you previously
>> mentioned.  Everything should just work.  Then as passwords get
>> changed they will get rehashed using the default password storage
>> scheme that is configured in DS (either SHA512 or PBKDF2).
>
>
>
> I'll try to use the ldif2db tool...
>
> https://www.spinics.net/linux/fedora/389-users/msg16789.html
>
> I didn't know this existed.
>
>
> Thanks for your input so far.
>
>
>
>
> Best Regards
> Rainer
>
>
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/VMEKSANI6T4LYYNN73WEUDK3BBBTLQD5/
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)