On 4/16/21 3:04 AM, spike wrote:
>
> Hi everyone,
>
> I'd like to change the default root password storage scheme from
> PBKDF2_SHA256 to CRYPT-SHA512 but I'm not having much success. I'm
> using the RHDS 11 documentation
> (https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#change_directory_manager_storage_scheme-CLI)
> as a reference since the 389ds documentation page
> (https://directory.fedoraproject.org/docs/389ds/documentation.html)
> refers to that as "The best documentation for use and deployment". The
> 389ds version is 1.4.4.15 which should correspond with RHDS 11.
>
Looks like we have a doc bug :-(
This is the procedure:
dsconf slapd-YOUR_INSTANCE config replace
nsslapd-rootpwstoragescheme=CRYPT-SHA512
dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this
will prompt you for the new password
That should do it.
HTH,
Mark
> What I've tried:
>
> # mkpasswd -m sha512crypt secret
> $6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
>
> # dsconf localhost config replace
> nsslapd-rootpwstoragescheme=CRYPT-SHA512
> nsslapd-rootpw="{crypt}$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/"
> selinux is disabled, will not relabel ports or files.
> Successfully replaced "nsslapd-rootpwstoragescheme"
> selinux is disabled, will not relabel ports or files.
> Successfully replaced "nsslapd-rootpw"
>
>
> Which results in me being unable to log in (bind non-anonymously).
> I've also tried:
>
> # dsconf localhost config replace
> nsslapd-rootpwstoragescheme=CRYPT-SHA512
> nsslapd-rootpw="{CRYPT-SHA512}$6$gOiCU3fNsdrH9.mR$fVxs..."
>
> and
>
> # dsconf localhost config replace
> nsslapd-rootpwstoragescheme=CRYPT-SHA512
> nsslapd-rootpw="$6$gOiCU3fNsdrH9.mR$fVxs..."
>
> which were also unsuccessful (login not possible).
>
> Setting a `CRYPT-SHA512` password though the 389ds cockpit UI plugin
> works fine though, so I'm pretty sure I'm just not getting the syntax
> for `dsconf` correctly.
>
> Any pointers are greatly appreciated.
>
> Cheers!
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
No comments:
Post a Comment