Thursday, January 11, 2024

[389-users] Re: Password storage scheme - choices

Excellent, thank you very much, William!

But know that I've read that, I think I'll want to start with the underscore-implementation. That should result in ldifs from my DS 2.1 which I could, if needed, use with my DS 1.4 instance. This isn't a long-term setting, just a migration step until we turn off 1.4. At that time, we'll step 2.1 up to SHA512 and duck the whole -/_ thing.

--  Do things because you should, not just because you can.     John Thurston    907-465-8591  Department of Administration  State of Alaska
On 1/11/2024 3:36 PM, William Brown wrote:
On 12 Jan 2024, at 10:19, John Thurston <> wrote:
  We've moving from DS 1.4 --> DS 2.1  With DS 1.4, we have our password hashing set to PBKDF2_SHA256. Our DS 2.1 defaults to PBKDF2-SHA512.  During the cutover phase, I want to set the 2.1 instances back to SHA256. We'd then advance the storage scheme to SHA512 when we were ready to sever our links to the past.  Through the cockpit-interface, I may choose among:      • PBKDF2-SHA1      • PBKDF2-SHA256      • PBKDF2-SHA512      • PBKDF2_SHA256  Are the two SHA256 choices the same? Is there some significance I'm missing in the "_" and the "-" characters?      tl;dr Use PBKDF2-SHA256. (hyphen, not underscore).        --  Sincerely,    William Brown    Senior Software Engineer,  Identity and Access Management  SUSE Labs, Australia  --    

No comments:

Post a Comment