How do you turn on password hashing (SSHA) in openLDAP

The LDAP spec requires plaintext passwords for interoperability. The link given above on security will give you the option for default hash types that the server can enforce, but do consider the implications.


You can use 'password-hash ' to change the hashing algorithm, the default one is SSHA (not clear text).

Note that, slapd uses the above only if the password sent by clients are in plain text, if your client is sending a hashed password, it'll be stored as it is.

for eg: with pam_ldap, use pam_password exop (or clear)

how is password strength tests run at the server if the password is coming in hashed and I know that is a feature openLDAP touts?

If you sent hashed passwords, slapd cant perform strength tests, so the clients must sent passwords in clear text(ppolicy has option to accept/reject hashed password).

Note:

  1. make sure your clients use ssl/tls (so the passwds are not sent in clear text)
  2. userpassword attribute contains special characters ({}) so you have to do a base64 -d to identify the hashing algorithm used.

eg: normally the attributes are returned in the following format (:: indicate the result is base64 encoded)

userPassword:: e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ=
 =

$ echo e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ==|openssl base64 -d
{SSHA}B54UsfAhI7WPgqol5RCYyDu3NUjkYnUXXWicng==

This is an old question, but still relevant. It's no longer recommended to use SSHA (ie. SHA-1) due to its relatively easy brute-forcing.

A more secure hashing algorithm is SHA-512. A stronger hash can be generated on the client side with OpenSSL 1.1 like this:

_generate_password_hash() {
  local plaintext; plaintext="$1"

  command printf "{CRYPT}%s" "$(openssl passwd -6 -stdin <<< "${plaintext}")"
}

This will output a string such as:

{CRYPT}$6$SGIWzAbjh.3WoQQJ$vEFlcRBQpd2fJ8dxcbojr83pjQcXcJ.InRMzNRryTQ//fMYJoCRFWAPn22EvJyDikG.MNuUqRYqQtI97Clj2F0

Notice the {CRYPT} instead of {SSHA} in the beginning.

You may apply the password for example with ldapmodify:

ldapmodify -h "${LDAP_HOST}" -D cn=user,dc=example,dc=com -W <<EOF
dn: cn=user,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: $(_generate_password_hash NEW_PASSWORD_HERE)
EOF

Notice that LibreSSL has a different set of hashing algorithms available. Check your actual OpenSSL version with openssl version if openssl passwd --help doesn't show the -6 option.


When you tried to store userPassword attribute in add/modify LDAP operations, userPassword value is stored as plain text. But you can override this behavior using ppolicy_hash_cleartext option in ppolicy overlay module in OpenLDAP. Once you enable it, when client sends a plain text password, it is stored as SSHA by default. You can find more details on enabling hash password in OpenLADP from here