Discussion:
[389-users] How do I change the root password storage scheme to CRYPT-SHA512 through dsconf?
spike
2021-04-16 07:04:02 UTC
Permalink
Hi everyone,

I'd like to change the default root password storage scheme from PBKDF2_SHA256 to CRYPT-SHA512 but I'm not having much success. I'm using the RHDS 11 documentation (https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#change_directory_manager_storage_scheme-CLI) as a reference since the 389ds documentation page (https://directory.fedoraproject.org/docs/389ds/documentation.html) refers to that as "The best documentation for use and deployment". The 389ds version is 1.4.4.15 which should correspond with RHDS 11.

What I've tried:

# mkpasswd -m sha512crypt secret
$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 nsslapd-rootpw="{crypt}$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpwstoragescheme"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpw"


Which results in me being unable to log in (bind non-anonymously). I've also tried:

# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 nsslapd-rootpw="{CRYPT-SHA512}$6$gOiCU3fNsdrH9.mR$fVxs..."

and

# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 nsslapd-rootpw="$6$gOiCU3fNsdrH9.mR$fVxs..."

which were also unsuccessful (login not possible).

Setting a `CRYPT-SHA512` password though the 389ds cockpit UI plugin works fine though, so I'm pretty sure I'm just not getting the syntax for `dsconf` correctly.

Any pointers are greatly appreciated.

Cheers!
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:
Mark Reynolds
2021-04-16 14:16:48 UTC
Permalink
Post by spike
Hi everyone,
I'd like to change the default root password storage scheme from
PBKDF2_SHA256 to CRYPT-SHA512 but I'm not having much success. I'm
using the RHDS 11 documentation
(https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/administration_guide/index#change_directory_manager_storage_scheme-CLI)
as a reference since the 389ds documentation page
(https://directory.fedoraproject.org/docs/389ds/documentation.html)
refers to that as "The best documentation for use and deployment". The
389ds version is 1.4.4.15 which should correspond with RHDS 11.
Looks like we have a doc bug :-(

This is the procedure:

dsconf slapd-YOUR_INSTANCE config replace
nsslapd-rootpwstoragescheme=CRYPT-SHA512

dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this
will prompt you for the new password

That should do it.

HTH,

Mark
Post by spike
# mkpasswd -m sha512crypt secret
$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
# dsconf localhost config replace
nsslapd-rootpwstoragescheme=CRYPT-SHA512
nsslapd-rootpw="{crypt}$6$gOiCU3fNsdrH9.mR$fVxsLUf0JLS4wYdQa98VNy7mIy.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpwstoragescheme"
selinux is disabled, will not relabel ports or files.
Successfully replaced "nsslapd-rootpw"
# dsconf localhost config replace
nsslapd-rootpwstoragescheme=CRYPT-SHA512
nsslapd-rootpw="{CRYPT-SHA512}$6$gOiCU3fNsdrH9.mR$fVxs..."
and
# dsconf localhost config replace
nsslapd-rootpwstoragescheme=CRYPT-SHA512
nsslapd-rootpw="$6$gOiCU3fNsdrH9.mR$fVxs..."
which were also unsuccessful (login not possible).
Setting a `CRYPT-SHA512` password though the 389ds cockpit UI plugin
works fine though, so I'm pretty sure I'm just not getting the syntax
for `dsconf` correctly.
Any pointers are greatly appreciated.
Cheers!
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure
--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastru
Chris Spike
2021-04-17 05:25:23 UTC
Permalink
Post by Mark Reynolds
dsconf slapd-YOUR_INSTANCE directory_manager password_change --> this
will prompt you for the new password
That did the trick, thanks a lot!

It also made me curious how the actual format for 'nsslapd-rootpw' was and it turns out I wasn't off with '{crypt}$6$...':

# dsconf localhost config get | grep rootpw
nsslapd-rootpw: {crypt}.mR.LkShcdNcJbAFPE.10PKJ7EFD4hB0C33znHyIjgPF67IxNVNKgkKDiuuxQq/
nsslapd-rootpwstoragescheme: CRYPT-SHA512

However, I noticed that the hash was not what I fed into dsconf. So it turns out that one _can_ set the rootpw through dsconf but it has to be in plain text:

# dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 nsslapd-rootpw="secret"
Successfully replaced "nsslapd-rootpwstoragescheme"
Successfully replaced "nsslapd-rootpw"
# dsconf localhost config get | grep rootpw
nsslapd-rootpw: {crypt}$6$bW$Gea8I1Xoi.zkkGWBvrIxIm41G3/90hX2L4H3hMt18js7VzkT14YNuNtY4Ueao181O/MfPuPn4TmyQFcGZIThI.
nsslapd-rootpwstoragescheme: CRYPT-SHA512

Since I'd like to change the password non-interactively this seems a bit easier than fiddling around with 'dsconf slapd-YOUR_INSTANCE directory_manager password_change' which doesn't seem to have an option to read the password from stdin?

I did some more research and switching from PBKDF2_SHA256 to CRYPT-SHA512 probably has no significant security benefit anyway so in the end this was a bit of an academic exercise. If someone has an opinion on that, I'd be interested to hear that though.

Thanks again Mark for your quick help.

Cheers!
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https:/

Loading...