ssha include the 256 and 512 versions

[f1-outsourcing]

On this page[1] is written "Supported hashes: crypt, md5, smd5, sha and ssha."

I am still having an older ldap with ssha, but was thinking after upgrading to use a different hash for passwords. I think I read something that it is quite easy to crack the plain ssha. Does your ssha include the 256 and 512 versions? Maybe nice to mention on this page.

[1] https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD

[quanah]

If you're talking about LDAP's internal hashing mechanisms for passwords, that has zero to do with SASL. OpenLDAP itself supports a number of modern hashing algorithms beyond SSHA. You didn't specify what LDAP server you're using, I suggest reading its documentation for how to choose what hashing mechanisms to use for passwords.

[Neustradamus]

Dear @openldap team, @quanah: It is not clear in OpenLDAP for SCRAM:

• https://github.com/search?q=repo%3Aopenldap%2Fopenldap+md5&type=code
• https://github.com/search?q=repo%3Aopenldap%2Fopenldap+scram&type=code

It is possible to add more informations?

cc: @mhardin42, @martyheyman, @hyc, @shawnmckinney, @jklowden, @mistotebe, @nivanova-symas, @rtandy, ...

[quanah]

Dear @openldap team, @quanah: It is not clear in OpenLDAP for SCRAM:

If you have questions about OpenLDAP then you should be using the OpenLDAP project resources, such as the openldap-technical emailing list, not pinging people here.

[quanah]

Also SCRAM has zero to do with how userPasswords are hashed in openldap

[f1-outsourcing]

If you're talking about LDAP's internal hashing mechanisms for passwords, that has zero to do with SASL. OpenLDAP itself supports a number of modern hashing algorithms beyond SSHA. You didn't specify what LDAP server you're using, I suggest reading its documentation for how to choose what hashing mechanisms to use for passwords.

It is just my lack of knowledge and this file being there. When I read it, I got the impression that sasl supported just a subset of the openldap hashes.

[hyc]

That part of the doc specifically talks about a "custom" auth method where saslauthd reads the userPassword attribute and checks it itself. https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD#L95

So it has nothing to do with OpenLDAP's password hashing methods. But obviously it's a dumb idea to use this method, and better to just let OpenLDAP take care of password hashing.