Skip to main content

What is SSHA-512? How can OpenLDAP support it? [Resolved]

I have two OpenLDAP directory servers. One is a standard Zimbra OpenLDAP server. Accounts are with passwords that are using SSHA-512 hash method.

When I copy these accounts to a standard OpenLDAP server with sha2 module compiled and installed only SHA-512 is supported.

I cannot succesfully bind with accounts that have a SSHA-512 hash method. I can verify the password is correct with external LDAP browser but I cannot bind. the message is always that the credentials are invalid. The authentication failed [LDAP: error code 49 - Invalid Credentials]

Is this a hash method specific for Zimbra OpenLDAP servers. It this hash method created by the Zimbra community?

Why would the Zimbra community use a non-standard hash method?

Where can we find this SSHA-512 hash method? So we can add this to standard OpenLDAP servers.

On the OpenLDAP website is "OpenLDAP supports RFC 2307 passwords, including the {SHA}, {SSHA} and other schemes. Such passwords may be used as userPassword values and/or rootpw value. See (Xref) What are RFC 2307 hashed user passwords?. {SHA} and {SSHA} are RFC 2307 passwords schemes which use the SHA1 secure hash algorithm. The {SSHA} is the seeded varient. {SSHA} is recommended over other RFC 2307 schemes."

This information is not correct. I did create the slapd-sha2.so module as described for example here https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2

But following this instruction will ensure not SSHA support, only SHA.


Question Credit: onknows
Question Reference
Asked March 13, 2019
Tags: openldap
Posted Under: Network
8 views
2 Answers

You need to tell OpenLDAP which scheme to use, in slapd.conf or the online configuration:

  • In slapd.conf it is the password-hash entry.
  • In the online configuration it is the olcPasswordHash entry in the top-level olcGlobal config object.

Set it to {SSHA}.


credit: user207421
Answered March 13, 2019

I know this is an old post, but I got here with a similar problem, and the solution was to load de module to support SSHA-2 algorithms. Include in the slapd.conf file the line:

moduleload pw-sha2.la

I hope this helps somebody ;-)


credit: Tommiie
Answered March 13, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA