30 Dec
2018
30 Dec
'18
7:49 p.m.
On Sat, Dec 29, 2018 at 09:29:37PM +0000, Andy Smith wrote:
Okay, I accept in the general case that this might be
true, but in
BitFolk's specific case we have multiple different off the shelf
software packages all authenticating using LDAP and I need
OpenLDAP's own password routines to be able to manage password
checks and changing.
So, that does limit me to the hashing schemes supported by OpenLDAP,
which I don't think would include putting multiple different old
hash schemes into a new hash scheme.
As far as I know, to do what you're suggesting I would either need to write
a module for OpenLDAP so it could migrate in that way, or else have
every application do it and have them send/read the raw hashes from
LDAP for update/comparison.
All fair points of course.
I just mentioned it because it once surprised me when I found out about
that and it might actually help sites/services where asking people to
login again isn't feasible. :-)
Martijn.