[Freeipa-users] Does FreeIPA support SHA or SSHA for password encryption
Rob Crittenden
rcritten at redhat.com
Wed Aug 13 20:10:01 UTC 2014
Chris Whittle wrote:
> We are looking at ONELogin as well as OKTA for our SSO to work with
> FreeIPA.
>
> The way they integrate with LDAP is a little different.
>
> The question I have is how does FreeIPA support SHA or SSHA for password
> encryption?
>
> *From One Login's help doc on LDAP*
>
> *--password-crypt: *Defines the cryptographic method used to store new
> passwords to your Ldap Server when a user changes his password on the
> OneLogin Web UI. Currently only SHA an SSHA are supported, SHA is the
> default value
This sounds rather strange to me. It sounds like it is going to
pre-encrypt the password and send the hash. For IPA to work it would
need to send the password in the clear (over GSSAPI or TLS of course) so
that we can generate the Kerberos keys as well.
389-ds only accepts pre-encrypted hashes in certain cases anyway (it
differs by version).
You can look in cn=Password Storage Schemes,cn=plugins,cn=config for the
list of available password hashes. Both SSHA and SHA are included by
default.
rob
More information about the Freeipa-users
mailing list