What is SSHA-512? How can OpenLDAP support it? The 2019 Stack Overflow Developer Survey Results Are InHow can OpenLDAP support SSHA512(Zimbra)OpenLDAP SSHA512Installing OpenLDAP on Fedora 12: ldap_bind: Invalid credentials (49)openLdap for windows and phpldapadminLDAP+SAMBA login issuesOpenLDAP to Samba 4 Migration, create middle layer / webservice for user initiated password migration/change?Passwords not working after migration from /etc/shadow to LDAPHow can I authenticate users in OpenLDAP using multiple password schemes?Error recovering Local SIDSetup an OpenLDAP proxy where authentication is not passed onOpenldap won't accept credentials after service restartslapd with mozillaAbPersonAlpha schema

Scaling a graph of a circle and the standard parabola in TikZ

Does a dangling wire really electrocute me if I'm standing in water?

Sci-fi book where a human is taken from Earth to help man an alien ship in a fight against other aliens and rises through the ranks to command

Is bread bad for ducks?

Identify boardgame from Big movie

Output the Arecibo Message

Protecting Dualbooting Windows from dangerous code (like rm -rf)

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Can we generate random numbers using irrational numbers like π and e?

Finite etale covers of products of curves

Deal with toxic manager when you can't quit

Can you compress metal and what would be the consequences?

Aging parents with no investments

Why can Shazam fly?

How to notate time signature switching consistently every measure

Origin of "cooter" meaning "vagina"

What is the formula behind each level spell slot progression that I can use in a spreadsheet?

Building a conditional check constraint

How does one change the certificate and key for a web service with Strict-Transport-Security established

Where to refill my bottle in India?

How to manage monthly salary

Solar radiation data

Is three citations per paragraph excessive for undergraduate research paper?

What tool would a Roman-age civilization have for the breaking of silver and other metals into dust?



What is SSHA-512? How can OpenLDAP support it?



The 2019 Stack Overflow Developer Survey Results Are InHow can OpenLDAP support SSHA512(Zimbra)OpenLDAP SSHA512Installing OpenLDAP on Fedora 12: ldap_bind: Invalid credentials (49)openLdap for windows and phpldapadminLDAP+SAMBA login issuesOpenLDAP to Samba 4 Migration, create middle layer / webservice for user initiated password migration/change?Passwords not working after migration from /etc/shadow to LDAPHow can I authenticate users in OpenLDAP using multiple password schemes?Error recovering Local SIDSetup an OpenLDAP proxy where authentication is not passed onOpenldap won't accept credentials after service restartslapd with mozillaAbPersonAlpha schema



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.



When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.



I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid.
The authentication failed
[LDAP: error code 49 - Invalid Credentials]



Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?



Why would the Zimbra community use a non-standard hash method?



Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.



On the OpenLDAP website is
"OpenLDAP supports RFC 2307 passwords, including the SHA, SSHA and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
SHA and SSHA are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The SSHA is the seeded varient. SSHA is recommended over other RFC 2307 schemes."



This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2



But following this instruction will ensure not SSHA support, only SHA.






openldap







share|improve this question

















  • 1





    Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

    – Andrew Domaszek
    Nov 20 '14 at 9:28

















0















I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.



When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.



I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid.
The authentication failed
[LDAP: error code 49 - Invalid Credentials]



Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?



Why would the Zimbra community use a non-standard hash method?



Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.



On the OpenLDAP website is
"OpenLDAP supports RFC 2307 passwords, including the SHA, SSHA and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
SHA and SSHA are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The SSHA is the seeded varient. SSHA is recommended over other RFC 2307 schemes."



This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2



But following this instruction will ensure not SSHA support, only SHA.






openldap







share|improve this question

















  • 1





    Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

    – Andrew Domaszek
    Nov 20 '14 at 9:28













0












0








0








I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.



When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.



I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid.
The authentication failed
[LDAP: error code 49 - Invalid Credentials]



Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?



Why would the Zimbra community use a non-standard hash method?



Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.



On the OpenLDAP website is
"OpenLDAP supports RFC 2307 passwords, including the SHA, SSHA and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
SHA and SSHA are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The SSHA is the seeded varient. SSHA is recommended over other RFC 2307 schemes."



This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2



But following this instruction will ensure not SSHA support, only SHA.






openldap







share|improve this question














I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.



When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.



I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid.
The authentication failed
[LDAP: error code 49 - Invalid Credentials]



Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?



Why would the Zimbra community use a non-standard hash method?



Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.



On the OpenLDAP website is
"OpenLDAP supports RFC 2307 passwords, including the SHA, SSHA and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?.
SHA and SSHA are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The SSHA is the seeded varient. SSHA is recommended over other RFC 2307 schemes."



This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2



But following this instruction will ensure not SSHA support, only SHA.






openldap




openldap






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 20 '14 at 9:11









onknowsonknows

1721211




1721211







  • 1





    Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

    – Andrew Domaszek
    Nov 20 '14 at 9:28












  • 1





    Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

    – Andrew Domaszek
    Nov 20 '14 at 9:28







1




1





Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

– Andrew Domaszek
Nov 20 '14 at 9:28





Most openldap servers use online configuration. Have you tried updating cn=module0,cn=config with your new olcModuleLoad line?

– Andrew Domaszek
Nov 20 '14 at 9:28










2 Answers
2






active

oldest

votes


















0














You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:



  • In slapd.conf it is the password-hash entry.

  • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

Set it to SSHA.






share|improve this answer






























    0














    I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:



    moduleload pw-sha2.la


    I hope this helps somebody ;-)






    share|improve this answer

























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f645744%2fwhat-is-ssha-512-how-can-openldap-support-it%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:



      • In slapd.conf it is the password-hash entry.

      • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

      Set it to SSHA.






      share|improve this answer



























        0














        You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:



        • In slapd.conf it is the password-hash entry.

        • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

        Set it to SSHA.






        share|improve this answer

























          0












          0








          0







          You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:



          • In slapd.conf it is the password-hash entry.

          • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

          Set it to SSHA.






          share|improve this answer













          You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:



          • In slapd.conf it is the password-hash entry.

          • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

          Set it to SSHA.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 28 '14 at 0:33









          user207421user207421

          862413




          862413























              0














              I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:



              moduleload pw-sha2.la


              I hope this helps somebody ;-)






              share|improve this answer





























                0














                I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:



                moduleload pw-sha2.la


                I hope this helps somebody ;-)






                share|improve this answer



























                  0












                  0








                  0







                  I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:



                  moduleload pw-sha2.la


                  I hope this helps somebody ;-)






                  share|improve this answer















                  I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:



                  moduleload pw-sha2.la


                  I hope this helps somebody ;-)







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Mar 11 at 14:05









                  Tommiie

                  4,1782637




                  4,1782637










                  answered Mar 11 at 12:42









                  Daniel VasconcelosDaniel Vasconcelos

                  1




                  1



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f645744%2fwhat-is-ssha-512-how-can-openldap-support-it%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

                      Image
                      Is "plugging out" electronic devices an American expression? Does a dangling wire really electrocute me if I'm standing in water? Adding labels to a table: columns and rows Spanish for "widget" Landlord wants to switch my lease to a "Land contract" to "get back at the city" Lethal sonic weapons On the insanity of kings as an argument against monarchy Is there a general name for the setup in which payoffs are not known exactly but players try to influence each other's perception of the payoffs? How long do I have to send my income tax payment to the IRS? Geography at the pixel level Can a zener diode with a higher power dissipation be used in place of the original one in an audio amplifier? How can I make payments on the Internet without leaving a money trail? What can other administrators access on my machine? Understanding the implication of what "well-defined" means for the operation in quotient group...
                      Read more

                      Free operad over a monoid object The 2019 Stack Overflow Developer Survey Results Are InAn interpretation of this construction giving an operad from a bialgebra?What is the free monoidal category generated by a monoid?Unitalization internal to monoidal categoriesCorrespondence between operads and $infty$-operads with one objectCorrespondence between operads and monads requires tensor distribute over coproduct?understanding the definition of $infty$-operad of module objectsReference for “multi-monoidal categories”When is a quasicategory over $N(Delta)^op$ a planar $infty$-operad?An interpretation of this construction giving an operad from a bialgebra?$H$-space structure on coloured algebrasTwo monoidal structures and copowering

                      Image
                      Free operad over a monoid object The 2019 Stack Overflow Developer Survey Results Are InAn interpretation of this construction giving an operad from a bialgebra?What is the free monoidal category generated by a monoid?Unitalization internal to monoidal categoriesCorrespondence between operads and $infty$-operads with one objectCorrespondence between operads and monads requires tensor distribute over coproduct?understanding the definition of $infty$-operad of module objectsReference for “multi-monoidal categories”When is a quasicategory over $N(Delta)^op$ a planar $infty$-operad?An interpretation of this construction giving an operad from a bialgebra?$H$-space structure on coloured algebrasTwo monoidal structures and copowering 4 $begingroup$ Let $mathcalO$ be an operad in the monoidal category $M$ . Then $mathcalO(1)$ together with the morphisms $$mathcalO(1)otimes mathcalO(1)to mathcalO(1)$$ and the unit $eta:1to mathcalO(1)$ is a monoid object. Moreover...
                      Read more