On 9/22/20 12:33 PM, Tornóci László wrote:
> Hi,
>
> On 9/22/20 6:23 PM, Mark Reynolds wrote:
>>
>> On 9/22/20 3:42 AM, Tornóci László wrote:
>>> Hi,
>>>
>>> I recently upgraded my system from RHEL7 to RHEL8, together with
>>> 389ds. Apparently this has caused to upgrade the storage scheme of
>>> the user passwords to PBKDF2_SHA256. Everything works fine except
>>> freeradius does not support this storage scheme at the moment.
>>>
>>> How can I downgrade the storage scheme in 389ds to something that is
>>> supported by freeradius in such a way, that doesn't force my users
>>> to change their passwords?
>>
>> Well first you need to change the scheme in cn=config to something like:
>>
>> passwordStorageScheme: SSHA512
>>
>> But if passwords are already in PBKDF2, then you will have to reset
>> those passwords. There is no undoing it without a full reset of the
>> password at this time.
>
> Yes, that's what the docs say, but a simple bind seems to be enough
> for me. I tested this and actually I could go back and forth between
> storage schemes using a simple bind.
In newer versions we do have a "update password on bind", but I didn't
think it was in that version and I wasn't sure if it downgraded
schemes. I guess it does :-)
> I am very happy with 389ds, its saved my ass...
Great, we really appreciate that!
Cheers,
Mark
>
> Laszlo
>>
>> HTH,
>>
>> Mark
>>
>>>
>>> Thanks: Laszlo
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>>>
>>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment