Excellent, thank you very much, William!
But know that I've read that, I think I'll want to start with the
underscore-implementation. That should result in ldifs from my DS 2.1
which I could, if needed, use with my DS 1.4 instance. This isn't a
long-term setting, just a migration step until we turn off 1.4. At that
time, we'll step 2.1 up to SHA512 and duck the whole -/_ thing.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/11/2024 3:36 PM, William Brown wrote:
On 12 Jan 2024, at 10:19, John Thurston <john.thurs...@alaska.gov> wrote:
We've moving from DS 1.4 --> DS 2.1
With DS 1.4, we have our password hashing set to PBKDF2_SHA256. Our DS 2.1
defaults to PBKDF2-SHA512.
During the cutover phase, I want to set the 2.1 instances back to SHA256. We'd
then advance the storage scheme to SHA512 when we were ready to sever our links
to the past.
Through the cockpit-interface, I may choose among:
• PBKDF2-SHA1
• PBKDF2-SHA256
• PBKDF2-SHA512
• PBKDF2_SHA256
Are the two SHA256 choices the same? Is there some significance I'm missing in the "_"
and the "-" characters?
https://fy.blackhats.net.au/blog/2022-11-25-why-are-pbkdf2-sha256-and-pbkdf2-sha256-different-in-389-ds/
tl;dr Use PBKDF2-SHA256. (hyphen, not underscore).
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
--
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
