Wednesday, July 3, 2024

[389-users] Re: Enable SSHA hashing scheme

Ralf Spenneberg wrote:
> Actually I just upgrade the system from centos7 to almalinux9 using
> elevate. Essentially this is similar to a copy of the /etc/dirsrv and
> /var/lib/dirsrv directories and started the new ldapserver. 
> Directly afterwards I was not able to login using the cn=Directory
> Manager. I checked the hashed password in the dse.ldif  file (cn=config)
> using pwdhash. It was ok. 
> Once I changed the password of the directory manager in the dse.ldif
> file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory
> Manager was able to login. Other users required a reset of their
> password as well for successful login. But since I do not have access to
> all passwords I would rather reuse the old tree.
> The nsslapd-allow-hashed-passwords is set to on.
> Therefore I doubt that I have double hashed passwords. For the case of
> the Directory Manager I am positive.
> And yes, dsconf lists SSHA in my case as well. Any ideas why this is not
> working?
>
> My passwordpolicy is quite open:
> Global Password Policy: cn=config
> ------------------------------------
> nsslapd-pwpolicy-local: off
> passwordstoragescheme: SSHA512
> passwordchange: on
> passwordmustchange: off
> passwordhistory: off
> passwordinhistory: 6
> passwordadmindn:
> passwordtrackupdatetime: off
> passwordwarning: 86400
> passwordisglobalpolicy: off
> passwordexp: off
> passwordmaxage: 8640000
> passwordminage: 0
> passwordgracelimit: 0
> passwordsendexpiringtime: off
> passwordlockout: off
> passwordunlock: on
> passwordlockoutduration: 3600
> passwordmaxfailure: 3
> passwordresetfailurecount: 600
> passwordchecksyntax: off
> passwordminlength: 8
> passwordmindigits: 0
> passwordminalphas: 0
> passwordminuppers: 0
> passwordminlowers: 0
> passwordminspecials: 0
> passwordmin8bit: 0
> passwordmaxrepeats: 0
> passwordmincategories: 3
> passwordmintokenlength: 3
> nsslapd-allow-hashed-passwords: on
> nsslapd-pwpolicy-inherit-global: off
>
> Kind regards,
> Ralf

nsslapd-allow-hashed-passwords controls whether pre-hashed passwords are
allowed on a password change. It has nothing to do with stored hashed
passwords.

How many users are we looking at?

rob

>
>
> Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov
> <vashirov@redhat.com <mailto:vashirov@redhat.com>>:
>
> Hi Ralf,
>
>
> On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg
> <rspenneberg@gmail.com <mailto:rspenneberg@gmail.com>> wrote:
>
> Hi there,
> I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to
> 2.4.5 (almalinux9). After migrating the tree all passwords stop
> working including the Directory Manager. The old tree used SSHA.
> Setting the rootpwstoragescheme does not help for the Directory
> Manager. Only manually resetting the passwords using pwdhash in
> the dse.ldif file and using a PBKDF2-SHA512 password works. Is
> there a way to enable the old SSHA scheme?
>
> SSHA is still supported in the latest 389-DS:
> # dsconf localhost pwpolicy list-schemes | grep SSHA
> SSHA
> SSHA256
> SSHA384
> SSHA512
>
> How did you perform the migration? Via replication or export/import?
> What is the value of nsslapd-allow-hashed-passwords in cn=config?
> I suspect that your passwords after the migration might be doubly
> hashed instead of imported as is.
>  
>
> Kind regards,
> Ralf
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> --
> Viktor
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> <mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>

--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)