How to make ldappasswd use {SHA} instead of {SSHA} for users passwords in openldap?

Question

Is it possible to use {SHA} with ldappasswd? I didn't find responsible option in manual page and docs

Answer 1

I know that's an old post but I found another solution for this problem.

This wolution works for ApacheDirectory servers (for org.apache implementation classes, but I think you can find interceptors for each openldap).

If you want use SHA encrypting by default when using ldappasswd you can change the interceptor implementation of password.

You have to modify following dn entry:

ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config

And change the value: ads-interceptorclassname: arg.apache.directory.server.core.hash.ShaPasswordHashingInterceptor

By default, openldap is using:

ads-interceptorclassname: org.apache.directory.server.core.hash.SshaPasswordHashingInterceptor

Command to modify:

ldapmodify -h <LDAP_HOST> -p <LDAP_PORT> -D "<ADMIN_DN>" -w "<ADMIN_PASSWORD>" <<EOF
dn: ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
changetype: modify
replace: ads-interceptorclassname
ads-interceptorclassname: org.apache.directory.server.core.hash.ShaPasswordHashingInterceptor
EOF

Then you have to restart your LDAP server. All new passwords added by ldappasswd will be in SHA and not in SSHA.

Note: You can use another interceptor provided by Apache: http://directory.apache.org/apacheds/advanced-ug/1.4-interceptors.html#existing-interceptors Javadoc: https://directory.apache.org/apacheds/gen-docs/2.0.0-M20/apidocs/org/apache/directory/server/core/hash/package-tree.html

Answer 2

Look for password-hash in slapd.conf(5), or for olcPasswordHash in slapd-config(5).