Closed majewsky closed 9 months ago
Given that we use the {CRYPT}
scheme for the userPassword
attribute, we are limited to what libcrypt supports. Current libxcrypt implementations seem to prefer multi-round-SHA512 (scheme $6$
), so our current choice of multi-round-SHA256 (scheme $5$
) appears to be fine still.
@majewsky can you re-open that issue so that I can link to it from nixpkgs? see https://github.com/NixOS/nixpkgs/pull/231502#discussion_r1196638531
Reopened as per Sandro's request. If openldap now widely supports a non-trash hash, we should switch to it. PRs are appreciated.
If I recall correctly, vanilla slapd can do better than Salted SHA by this point, so Portunus should prefer one of the better hashes that slapd supports, and upgrade existing user accounts to use this hash on successful login.