Slapd SHA256 manager password #21
Comments
- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
`ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
|
Solved by the very BIG PR #26. Relevant commit: In particular, |
|
Anyway, also salted SHA-2 suite hash functions are not considered good/safe for password storage. Since they are meant for signing/fingerprinting their forward calculation is very fast. Also, with cryptocurrency using SHA-256 custom hardware with the only purpose of generating very efficiently and quickly SHA-256 hash are commonly available, and it's very easy and fast to generate rainbow tables. Salted hash seems to mitigate this but it depend on the implementation and the number of rounds used. It seems that for password hashing algorithms have to be slow. Suggested algorithm are: scrypt, bcrypt, PBKDF2, Argon2. Argon2 is probably the best and is implemented as a pluggable module in OpenLDAP 2.5. Probably it can be compiled and backported to stable OpenLDAP 2.4. Refs: |
I think slapd use SHA1 for manager password.
Check if we can force it to SHA256.
Related to modification made in commit f0684ce
The text was updated successfully, but these errors were encountered: