[Freeipa-users] passwordStorageScheme

[Sankar Ramlingam]

On 03/27/2015 06:21 PM, Andy Thompson wrote:
> Relative newb here :) I'm doing some research trying to sort out the password storage scheme being used on the freeipa LDAP instance.  From everything I can find it uses ssha but can be changed to ssha-512.  But when I try to change that attribute on the cn=config object like referenced here https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
>
> It comes back with wrong attribute type.  I realize that doc points to the RHDS so it might be valid for the ipa ds?
Hi Andy,

The value has to be SHA512. Its not SHA-512.

/usr/bin/ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w 
XXXXX << EOF
 > dn: cn=config
 > changetype: modify
 > replace: passwordStorageScheme
 > passwordStorageScheme: SHA-512
 > EOF
modifying entry "cn=config"
ldap_modify: Operations error (1)
     additional info: passwordStorageScheme: invalid scheme - SHA-512. 
Valid schemes are: CLEAR, CRYPT, MD5, SHA, SHA256, SHA384, SHA512, SMD5, 
SSHA, SSHA256, SSHA384, SSHA512

/usr/bin/ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w 
XXXXX << EOF
dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: SHA512
EOF

modifying entry "cn=config"


Hope this helps.

Thanks,
-Sankar R.
>
> So I guess my question is what hash is used by freeipa to store password hashes and is it configurable?
>
>
> *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. ***
>
>