> On 2 Dec 2019, at 18:46, Francesc Guasch <fran...@telecos.upc.edu> wrote: > > El 2/12/19 a les 1:15, William Brown ha escrit: >> >> >>> On 30 Nov 2019, at 03:50, Mark Reynolds <mreyno...@redhat.com> wrote: >>> >> >>> This is the expected behavior. We now automatically upgrade password >>> storage schemes to PBKDF2 in 1.4.2 - which is the strongest hashing >>> algorithm we offer. MD5 is not considered secure anymore. You can disable >>> this "hash upgrade" feature by setting: nsslapd-enable-upgrade-hash to >>> "off" under cn=config >> >> To echo what Mark has said here, MD5 today should be considered as >> equivalent to "cleartext" storage. Generally any storage scheme less than >> SSHA512 should not be used for a variety of security and compliance reasons. >> >> If you are using MD5 for one of the SASL MD5 mechanisms, these are also >> considered insecure, and you should opt for LDAPS (TLS) with simple bind or >> SASL-PLAIN instead. >> > > Mark and William, thank you very much for your kind answers. > > I was adding the users using this perl code: > > my $apr=Authen::Passphrase::SaltedDigest->new( > passphrase => $password > , algorithm => "MD5"); > > my $userPassword = $apr->as_rfc2307() > > Then matching with that: > > Authen::Passphrase->from_rfc2307($password_ldap)->match($password);
Hmmm you may want to consider using and ldap bind rather than a client side match of the hash content. It's a much more secure and long term supportable way of managing this, and resolves a number of security risks around userPassword attribute disclosure. https://metacpan.org/pod/Net::LDAP::Examples#BINDING > > I see know I have to use another algorithm like SSHA512 instead MD5 and > use PBKDF2 as storage scheme instead rfc2307. But that is not 389 > related. See above, I'd consider you should think about ldap simple binds instead of using the ->match here, then you don't need to work about hashing at all, > > Anyway congratulations for this directory server project and thank > you for your fast and nice support. Anytime, and we are always happy to help! > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
