[Freeipa-users] Password Attribute Syncing Support

Rob Crittenden rcritten at redhat.com
Mon Mar 22 13:55:00 UTC 2010 

Walter Meyer wrote:
> Thanks for all of the tips. I am wondering what the best way to modify
> the ldap (so I can change the password scheme) is. I tried getting the
> 389-console utility setup to connect but was unsuccesful. Should I
> just use the command line ldap tools?

We don't configure things so the console will work. You'll need to use 
the LDAP command-line tools.

Something like:

% ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
add: passwordStorageScheme
passwordStorageScheme: <YOUR_SCHEME>

I'm assuming that you don't already have a scheme specified, the default.

rob

> 
> On Mar 19, 2010, at 4:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>> Walter Meyer wrote:
>>> I will see if Salted SHA1 is supported and maybe Google hasn't
>>> documented it yet. If not, the sync is done with the Google Servers
>>> over SSL. And if only the Directory Manager can read the
>>> userPassword attribute, would storing the userPassword attribute in
>>> SHA1 be that insecure? What scenario could the passwords be
>>> compromised if I went with this setup? Unless the Directory Manager
>>> account was compromised wouldn't this be secure if all of the data
>>> was being transmitted over SSL?
>>> Also all logins to Google Apps are encrypted with SSL.
>> Ok, the SSL usage makes me feel better. Using a weaker password
>> encryption scheme isn't ideal but if you are protecting transmission
>> of it you are probably ok. The risk is that if somehow the hash did
>> get exposed it is relatively easier to crack it than a salted hash.
>> Risk is something you'll need to weigh specific to your environment,
>> this may be acceptable. It doesn't make my alarm bells go off but
>> I'm a pretty laid back guy :-)
>>
>> In fact, this would be very cool if it worked. You might want to
>> file an RFE with the nice folks at Google to see if they'll support
>> salted hashes if they don't now and potentially move to a more
>> secure environment later.
>>
>> As Simo pointed out you'll want to modify the default password
>> encryption scheme before adding your users so you don't have to
>> force round after round of password changes on them.
>>
>> If you decide to try it out let us know how it works.
>>
>> cheers
>>
>> rob

More information about the Freeipa-users mailing list