It depends on what your operating system’s crypt(3) supports. Most Linux/Unix
system should support MD5crypt, but that is no longer considered secure (per
the original author, PHK).
If you want to use SHA256crypt you would use:
olcPasswordCryptSaltFormat: $5$%.16s
If you want to use SHA512crypt, then
olcPasswordCryptSaltFormat: $6$%.16s
The SHA2crypt family is discussed more at:
https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme
https://www.akkadia.org/drepper/sha-crypt.html
I’m not sure what the difference/s between SHA2crypt and SSHA2 is/are. Most
Linux distributions use SHA512crypt to secure root’s password in the shadow(5)
file if that means anything.
> On Aug 25, 2016, at 13:02, Net Warrior <[email protected]> wrote:
>
> Thank you very much for that!! do you know if it support md5crypt or if
> there any stong algorithm instead? for example phpldapadmin has it as an
> option, but I want to force it.
>
> Best regards
> Thanks for your time and support
>
>
>
> On 08/25/2016 01:23 PM, Clément OUDOT wrote:
>> Le 25/08/2016 à 18:12, Net Warrior a écrit :
>>
>>> Hi Guys
>>>
>>> I need some guidance on this, I configured a ppolicy for a DIT which has
>>> all the users in plain password, I added to following to the policy
>>>
>>> changetype: modify
>>> replace: olcPPolicyHashCleartext
>>> olcPPolicyHashCleartext: FALSE
>>>
>>> When the user reset it password, it changes from clear password to
>>> encrypted using ssha but I want to store them using md5crypt, what do I
>>> need to change in my configuration?
>>>
>>
>> See olcPasswordHash parameter.
>>
>> From man slapd-config :
>>
>> olcPasswordHash: <hash> [<hash>...]
>> This option configures one or more hashes to be used in
>> generation of user passwords stored in the userPassword attribute during
>> processing of LDAP
>> Password Modify Extended Operations (RFC 3062). The <hash>
>> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.
>> The default is
>> {SSHA}.
>>
>> {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the
>> latter with a seed.
>>
>> {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter
>> with a seed.
>>
>> {CRYPT} uses the crypt(3).
>>
>> {CLEARTEXT} indicates that the new password should be added to
>> userPassword as clear text.
>>
>> Note that this option does not alter the normal user
>> applications handling of userPassword during LDAP Add, Modify, or other LDAP
>> operations. This
>> setting is only allowed in the frontend entry.
>>
>>
>>
>
