I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.
When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.
I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid.
The authentication failed
[LDAP: error code 49 – Invalid Credentials]
Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?
Why would the Zimbra community use a non-standard hash method?
Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.
On the OpenLDAP website is
"OpenLDAP supports RFC 2307 passwords, including the {SHA}, {SSHA} and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
{SHA} and {SSHA} are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The {SSHA} is the seeded varient. {SSHA} is recommended over other RFC 2307 schemes."
This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2
But following this instruction will ensure not SSHA support, only SHA.
Best Answer
You need to tell OpenLDAP which scheme to use, in
slapd.conf
or the online configuration:slapd.conf
it is thepassword-hash
entry.olcPasswordHash
entry in the top-levelolcGlobal
config object.Set it to
{SSHA}
.