4xoc
commented
2 years ago LDAP has a very specific password format where the {} part defines what type of password this is (for example {SASL}someUsername, no password is saved at all but delegated to SASL). The Part after the {} is just the base64 encoded hash in case of sha/sha2 to represent binary data in ASCII chars. Those hashes can be represented in many ways, OpenLDAP uses the described format and that cannot be changed. BTW, sha2 support needs to have an additional module pw-sha2 loaded in slapd for sha256 and larger (same goes for >=ssha256).
Check out ldappasswd which allows you to generate new passwords in ldap format.
Hello,
We have tried encrypting a password for a user with SHA-512 encryption in LDAP and the format of the password is as mentioned below.
{SHA512}r2K5zao5z45eey49xafOOd8DxFGbGgnqsUAxsoeaLjdWm6RUKAGLXvs3x+BUKVXvHP47odin9AhSkiZLRZZbOw==We've also generated a password with SHA-512 encryption on a control panel (cPanel) and the password format is as mentioned below.
$6$oa7whGtyZ61Hc0TN$4rfjAyMTdVLzkw9euTZmRSkIaSlqu9MuvaD3wSnGjV7JOaBpMLr6dsLnURrMp5n8fS3vapCn7RMBE9t8lb5IZ/:19032::::::As you see, both uses the same encryption but the password format is quite different.
Is it possible to encrypt the password in LDAP using the format used by cPanel?