Friday, April 16, 2021

[389-users] Re: How do I change the root password storage scheme to CRYPT-SHA512 through dsconf?

> dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this
> will prompt you for the new password

That did the trick, thanks a lot!

It also made me curious how the actual format for 'nsslapd-rootpw' was and it turns out I wasn't off with '{crypt}$6$...':

# dsconf localhost config get | grep rootpw
nsslapd-rootpw: {crypt}.mR.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
nsslapd-rootpwstoragescheme: CRYPT-SHA512

However, I noticed that the hash was not what I fed into dsconf. So it turns out that one _can_ set the rootpw through dsconf but it has to be in plain text:

# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 nsslapd-rootpw="secret"
Successfully replaced "nsslapd-rootpwstoragescheme"
Successfully replaced "nsslapd-rootpw"
# dsconf localhost config get | grep rootpw
nsslapd-rootpw: {crypt}$6$bW$Gea8I1Xoi.zkkGWBvrIxIm41G3/90hX2L4H3hMt18js7VzkT14YNuNtY4Ueao181O/MfPuPn4TmyQFcGZIThI.
nsslapd-rootpwstoragescheme: CRYPT-SHA512

Since I'd like to change the password non-interactively this seems a bit easier than fiddling around with 'dsconf slapd-YOUR_INSTANCE directory_manager password_change' which doesn't seem to have an option to read the password from stdin?

I did some more research and switching from PBKDF2_SHA256 to CRYPT-SHA512 probably has no significant security benefit anyway so in the end this was a bit of an academic exercise. If someone has an opinion on that, I'd be interested to hear that though.

Thanks again Mark for your quick help.

Cheers!
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)