(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Passwords : (Answer) Does OpenLDAP support {SHA512}, {SHA256} or other SHA-2 hash algorithms?
OpenLDAP does not support SHA-2 password hash formats directly, but there is a third-party module available:
You can have indirect support through the {CRYPT} algorithm if your system's crypt() function supports it, as on a recent GNU/Linux. You should care about portability when doing that though.
Since OpenLDAP release 2.4.32 SHA-2 algorithms are supported by the overlay slapo-pw-sha2 which is found under contrib/ and has to be built separately.
Many distributions include the pw-sha2 overlay now and allow for {SHA256}, {SHA512}, and salted variants.

I found it very difficult to mesh the moving parts that are necessary to enable SHA512 passwords on Debian and Ubuntu. I got it to work and documented the process here:

TL;DR: Read up on EXOP, make sure you don't have a basedn in /etc/pam_ldap.conf, have the proper ACL, make sure you have this (olcPasswordCryptSaltFormat: $6$%.16s) in olcDatabase={-1}frontend. Passwords are then stored in LDAP like this:


Just to state the obvious, SHA-256 and SHA-512 based "glibc" crypt algorithms $5$ and $6$ are totally different from plain (or salted) "{SHA256}" algorithms. The libc crypt variants do a lot of nonsensical transpositions to increase the computational load.
[Append to This Answer]
Previous: (Answer) Why is my userPassword encrypted?
Next: (Answer) New Item
This document is: http://www.openldap.org/faq/index.cgi?file=1467
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org