Hi all,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.
Thanks,
James
* https://docs.oracle.com/cd/E52734_01/oud/OUDCR/crypt-password-storage-scheme...
On 04/19/2017 01:33 PM, James Chamberlain wrote:
Hi all,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.
We do not offer this functionality for CRYPT at this time, but please open a ticket so we can look into adding it:
https://pagure.io/389-ds-base/new_issue
Please provide the links to the Oracle docs, etc.
Thanks, Mark
Thanks,
James
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
On Wed, 2017-04-19 at 13:57 -0400, Mark Reynolds wrote:
On 04/19/2017 01:33 PM, James Chamberlain wrote:
Hi all,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.
We do not offer this functionality for CRYPT at this time, but please open a ticket so we can look into adding it:
https://pagure.io/389-ds-base/new_issue
Please provide the links to the Oracle docs, etc.
I had a bit of a read, and I'm not sure about this.
Like, I can see *why* you want to do this, because it makes migration from these possible.
However, the crypt module is bad, and all those schemes are "weak" for password storage now.
So, lets say there is a compromise here on this feature.
What if we made it so DS could *bind* a user with the hash set to this scheme, but you could never make a new password with this scheme. IE you would leave:
nsslapd-storagescheme: {SSHA512,PBKDF2_SHA256}
But your user has:
uid=migrated_account,ou=People,dc=.... ... userPassword: {CRYPT}$6$<salt>$hash
So you could bind to this account, but then on next password change the userPassword would become:
userPassword: {PBKDF2_SHA256}........
What do you think of this solution?
On 04/19/2017 08:34 PM, William Brown wrote:
On Wed, 2017-04-19 at 13:57 -0400, Mark Reynolds wrote:
On 04/19/2017 01:33 PM, James Chamberlain wrote:
Hi all,
Does anyone know, can the CRYPT plugin for 389-ds be passed a “crypt-algorithm” parameter? I came across some documentation* from the related Oracle Unified Directory / OpenDS which looks like it would do exactly what I’m looking for, but I wasn’t sure whether that was also true of 389-ds.
We do not offer this functionality for CRYPT at this time, but please open a ticket so we can look into adding it:
https://pagure.io/389-ds-base/new_issue
Please provide the links to the Oracle docs, etc.
I had a bit of a read, and I'm not sure about this.
Like, I can see *why* you want to do this, because it makes migration from these possible.
However, the crypt module is bad, and all those schemes are "weak" for password storage now.
So, lets say there is a compromise here on this feature.
What if we made it so DS could *bind* a user with the hash set to this scheme, but you could never make a new password with this scheme. IE you would leave:
nsslapd-storagescheme: {SSHA512,PBKDF2_SHA256}
But your user has:
uid=migrated_account,ou=People,dc=.... ... userPassword: {CRYPT}$6$<salt>$hash
So you could bind to this account, but then on next password change the userPassword would become:
userPassword: {PBKDF2_SHA256}........
What do you think of this solution?
Hey William, we should move this conversation to the ticket so its recorded:
https://pagure.io/389-ds-base/issue/49225
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
What do you think of this solution?
Hey William, we should move this conversation to the ticket so its recorded:
Yeah good point. Was silly of me :). Apparently I need more coffee.
389-users@lists.fedoraproject.org
-
James Chamberlain -
Mark Reynolds -
William Brown