[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: {CRYPT} password to {SHA}



On Wednesday 04 June 2008 20:02:55 Jeroen van Aart wrote:
> Hello,
>
> Currently we use {CRYPT} passwords. I would like to know if there is a
> way to use {SHA} passwords.

Yes. See for example the slappasswd man page.

> Could existing passwords be in some way 
> converted to {SHA}?

Except by brute-forcing, no.

> Would using the right password-hash directive be 
> enough to make it automagically work and allow users to still be able to
> authenticate with their current password?

If you think logically about this, you will realise that this should be 
impossible.

The best option here is to change the default password hashing method (see 
the 'password-hash' directive for slapd.conf), and force password changes (if 
done via an LDAP password change extended operation, slapd will take care of 
hashing the password correctly).

Regards,
Buchan