Slapd SHA256 manager password
cimbalo opened this issue · comments
I think slapd use SHA1 for manager password.
Check if we can force it to SHA256.
Related to modification made in commit f0684ce
Anyway, also salted SHA-2 suite hash functions are not considered good/safe for password storage. Since they are meant for signing/fingerprinting their forward calculation is very fast.
Also, with cryptocurrency using SHA-256 custom hardware with the only purpose of generating very efficiently and quickly SHA-256 hash are commonly available, and it's very easy and fast to generate rainbow tables.
Salted hash seems to mitigate this but it depend on the implementation and the number of rounds used.
It seems that for password hashing algorithms have to be slow. Suggested algorithm are: scrypt, bcrypt, PBKDF2, Argon2.
Argon2 is probably the best and is implemented as a pluggable module in OpenLDAP 2.5.
Probably it can be compiled and backported to stable OpenLDAP 2.4.
Refs: