Configuration of Module pw-sha2
Explore how to properly configure the pw-sha2 module to enhance security and authentication protocols for your system.
Updated at July 1st, 2025
Table of Contents
Date: 11-04-2022
What Is pw-sha2?
The pw-sha2 module provides support for stronger SHA2 password hashing schemes in OpenLDAP.
Hashing Schemes
The following hashing schemes are made available through the pw-sha2 module:
| Name | Attribute Name | Salted |
|---|---|---|
| SHA-256 | {SHA256} | No |
| SHA-384 | {SHA384} | No |
| SHA-512 | {SHA512} | No |
| SSHA-256 | {SSHA256} | Yes |
| SSHA-384 | {SSHA384} | Yes |
| SSHA-512 | {SSHA512} | Yes |
Configuration
Adding or modifying the password-hash/olcPasswordHash attribute does not change the currently hashed passwords in the database. The new hashing scheme will apply only to passwords generated via the LDAP Password Modify Extended Operations.
To add pw-sha2 and set an SHA2 scheme as the default for new passwords:
For slapd.conf
Add pw-sha2 configuration:
moduleload pw-sha2.la
...
password-hash {SSHA512}Note: Enabling this module requires a restart of slapd.
For cn=config
Add pw-sha2 configuration:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la
dn: cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA512}
-