Michael Ströder wrote:
Quanah Gibson-Mount wrote:I think it would be wise to update OpenLDAP to a different default for userPassword.Yes!We currently have the Contrib SHA2 module,SHA-2 hashes with one round are also way too fast to be a good password hash algorithm.It may be time to move the SHA2 module into core,Yes, but there should be something stronger. How about moving ./contrib/slapd-modules/passwd/pbkdf2 to core?
Yeah at this point we can probably bypass SHA2 and just go straight to SHA3. There's a lot of crypto software out there already using it. pbkdf2 is still using SHA2.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/