Passwords in OpenLDAP are SSHA encrypted by default (Salted SHA1).
Changing it to SHA512 (salted with 16 Bytes):
olcPasswordHash: {CRYPT},{SSHA} olcPasswordCryptSaltFormat: "$6$%.16s"
Or if you want to increase the number of rounds:
olcPasswordHash: {CRYPT},{SSHA} olcPasswordCryptSaltFormat: "$6$rounds=2000000$%.16s"
This will still accept already existing passwords that are SSHA encrypted. New or changed passwords will be SHA512 encrypted. The max. number of rounds is 9 999 999. This increases computational time to create a password hash in order to prevent brute force attacks.
For this to work, the GNU C library has to support SHA512:
– /etc/login.defs: ENCRYPT_METHOD SHA512
– man pam_unix (should include sha512)
Also OpenLDAP has to be compiled with crypt support (–enable-crypt).
SHA512 passwords for LDAP can be generated with slappasswd:
slappasswd -c '$6$%.16s'
Important things to note:
- OpenLDAP provides its own native SHA-2 password module supporting SHA512, but that one lacks support for modifying rounds.
- OpenLDAP also provides a module for the key derivation function PBKDF2. Currently there are no reliable sources on the internet which suggest that PBKDF2 is more secure than salted SHA512 with rounds.
- The next step up would be using key derivation function scrypt or Argon2 because they impose much higher requirements on memory.