Ralf Spenneberg wrote: > Actually I just upgrade the system from centos7 to almalinux9 using > elevate. Essentially this is similar to a copy of the /etc/dirsrv and > /var/lib/dirsrv directories and started the new ldapserver. > Directly afterwards I was not able to login using the cn=Directory > Manager. I checked the hashed password in the dse.ldif file (cn=config) > using pwdhash. It was ok. > Once I changed the password of the directory manager in the dse.ldif > file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory > Manager was able to login. Other users required a reset of their > password as well for successful login. But since I do not have access to > all passwords I would rather reuse the old tree. > The nsslapd-allow-hashed-passwords is set to on. > Therefore I doubt that I have double hashed passwords. For the case of > the Directory Manager I am positive. > And yes, dsconf lists SSHA in my case as well. Any ideas why this is not > working? > > My passwordpolicy is quite open: > Global Password Policy: cn=config > ------------------------------------ > nsslapd-pwpolicy-local: off > passwordstoragescheme: SSHA512 > passwordchange: on > passwordmustchange: off > passwordhistory: off > passwordinhistory: 6 > passwordadmindn: > passwordtrackupdatetime: off > passwordwarning: 86400 > passwordisglobalpolicy: off > passwordexp: off > passwordmaxage: 8640000 > passwordminage: 0 > passwordgracelimit: 0 > passwordsendexpiringtime: off > passwordlockout: off > passwordunlock: on > passwordlockoutduration: 3600 > passwordmaxfailure: 3 > passwordresetfailurecount: 600 > passwordchecksyntax: off > passwordminlength: 8 > passwordmindigits: 0 > passwordminalphas: 0 > passwordminuppers: 0 > passwordminlowers: 0 > passwordminspecials: 0 > passwordmin8bit: 0 > passwordmaxrepeats: 0 > passwordmincategories: 3 > passwordmintokenlength: 3 > nsslapd-allow-hashed-passwords: on > nsslapd-pwpolicy-inherit-global: off > > Kind regards, > Ralf
nsslapd-allow-hashed-passwords controls whether pre-hashed passwords are allowed on a password change. It has nothing to do with stored hashed passwords. How many users are we looking at? rob > > > Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov > <vashi...@redhat.com <mailto:vashi...@redhat.com>>: > > Hi Ralf, > > > On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg > <rspenneb...@gmail.com <mailto:rspenneb...@gmail.com>> wrote: > > Hi there, > I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to > 2.4.5 (almalinux9). After migrating the tree all passwords stop > working including the Directory Manager. The old tree used SSHA. > Setting the rootpwstoragescheme does not help for the Directory > Manager. Only manually resetting the passwords using pwdhash in > the dse.ldif file and using a PBKDF2-SHA512 password works. Is > there a way to enable the old SSHA scheme? > > SSHA is still supported in the latest 389-DS: > # dsconf localhost pwpolicy list-schemes | grep SSHA > SSHA > SSHA256 > SSHA384 > SSHA512 > > How did you perform the migration? Via replication or export/import? > What is the value of nsslapd-allow-hashed-passwords in cn=config? > I suspect that your passwords after the migration might be doubly > hashed instead of imported as is. > > > Kind regards, > Ralf > -- > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > <mailto:389-users@lists.fedoraproject.org> > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > <mailto:389-users-le...@lists.fedoraproject.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > > -- > Viktor > -- > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > <mailto:389-users@lists.fedoraproject.org> > To unsubscribe send an email to > 389-users-le...@lists.fedoraproject.org > <mailto:389-users-le...@lists.fedoraproject.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
