Hi all! I want use FreeIPA with FreeRADIUS. As I can know, FreeIPA use PBKDF2_SHA256 hashes. But actual FreeRADIUS not support PBKDF2_SHA256 hashes. Is there way to change hash in FreeIPA?
About FreeRADIUS and PBKDF2_SHA256 https://github.com/FreeRADIUS/freeradius-server/issues/2649
You can change the password storage scheme using dsconf or ldapmodify depending on what version of 389-ds-base you have. On 389-ds-base-1.4.x you can use "dsconf", on older versions you will need to use ldapmodify:
# dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=SSHA512
Or
# ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: SSHA512
This will not change your existing user's passwords, it will only change how new passwords are set. So if some users' passwords are already hashed with PBKDF2_SHA256, then you need to reset the password to pick up the new scheme.
HTH,
Mark
On 6/29/20 3:20 PM, Max Muller via FreeIPA-users wrote:
Hi all! I want use FreeIPA with FreeRADIUS. As I can know, FreeIPA use PBKDF2_SHA256 hashes. But actual FreeRADIUS not support PBKDF2_SHA256 hashes. Is there way to change hash in FreeIPA?
About FreeRADIUS and dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=SSHA512 https://github.com/FreeRADIUS/freeradius-server/issues/2649 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org