[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap password problems

Hi all,

Right now we may say, IMHO, this is a strongest encryption available in POSIX systems. SHA-1 ({SSHA}, default in OpenLDAP) is good one also (IMHO), to crack it you must mobilize many means. The question is: does the degree of confidentiality of data deserve to opt for a bit more complicated setup ?


Le 15/05/2015 20:02, Albert Braden a écrit :
This is what I use. I'm not sure this is the highest possible security but it did fix the "ignore anything over 8 characters" issue.

password-hash {CRYPT}
password-crypt-salt-format "$6$%.12s"

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder
Sent: Friday, May 15, 2015 5:08 AM
To: Quanah Gibson-Mount; openldap-technical@openldap.org
Subject: Re: Openldap password problems

Quanah Gibson-Mount wrote:
Setting the default to {CRYPT} is a security nightmare,

Such a general statement is non-sense without taking a closer look at which
crypt scheme is really used.

Consult your local crypt(3) man page to see whether crypt schemes like "$6$"
or "$2b$" are supported on your system which are definitely stronger than
simple {SSHA}. Then use password-crypt-salt-format to make use of such a crypt

Ciao, Michael.

*Abdelhamid Meddeb*

Attachment: smime.p7s
Description: Signature cryptographique S/MIME