Configuration of Module pw-sha2
Explore how to properly configure the pw-sha2 module to enhance security and authentication protocols for your system.
Table of Contents
Date: 11-04-2022
What Is pw-sha2?
The pw-sha2
module provides support for stronger SHA2 password hashing schemes in OpenLDAP.
Hashing Schemes
The following hashing schemes are made available through the pw-sha2
module:
Name | Attribute Name | Salted |
---|---|---|
SHA-256 | {SHA256} | No |
SHA-384 | {SHA384} | No |
SHA-512 | {SHA512} | No |
SSHA-256 | {SSHA256} | Yes |
SSHA-384 | {SSHA384} | Yes |
SSHA-512 | {SSHA512} | Yes |
Configuration
Adding or modifying the password-hash
/olcPasswordHash
attribute does not change the currently hashed passwords in the database. The new hashing scheme will apply only to passwords generated via the LDAP Password Modify Extended Operations.
To add pw-sha2
and set an SHA2 scheme as the default for new passwords:
For slapd.conf
Add pw-sha2
configuration:
moduleload pw-sha2.la
...
password-hash {SSHA512}
Note: Enabling this module requires a restart of slapd.
For cn=config
Add pw-sha2
configuration:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la
dn: cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA512}
-