Password encryption in OpenLDAP

Passwords in OpenLDAP are SSHA encrypted by default (Salted SHA1).

Changing it to SHA512 (salted with 16 Bytes):

olcPasswordHash: {CRYPT},{SSHA}
olcPasswordCryptSaltFormat: "$6$%.16s"

Or if you want to increase the number of rounds:

olcPasswordHash: {CRYPT},{SSHA}
olcPasswordCryptSaltFormat: "$6$rounds=2000000$%.16s"

This will still accept already existing passwords that are SSHA encrypted. New or changed passwords will be SHA512 encrypted. The max. number of rounds is 9 999 999. This increases computational time to create a password hash in order to prevent brute force attacks.

For this to work, the GNU C library has to support SHA512:
- /etc/login.defs: ENCRYPT_METHOD SHA512
- man pam_unix (should include sha512)

Also OpenLDAP has to be compiled with crypt support (--enable-crypt).

SHA512 passwords for LDAP can be generated with slappasswd:

slappasswd -c '$6$%.16s'
Share