0

In OpenLDAP documentation I can find information that it supports the following encryption schemes: MD5, SMD5, SHA and SSHA.

From these schemes the most secure is SSHA (SHA-1 with salt), but it still usus SHA-1 which has been compromised and can be crracked using tools like John the Ripper or Cain and Abel - How to crack password hashed using SSHA?.

Is it possible to configure LDAP in other way? Should I use LDAP? Is it secure if I will use salt which will be at least eight octets (64 bits) long according to http://www.ietf.org/rfc/rfc2898.txt.

user187205
  • 1,163
  • 3
  • 15
  • 24
  • https://auth0.com/blog/sha-1-collision-attack/ – user187205 Feb 07 '18 at 17:23
  • https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html – user187205 Feb 07 '18 at 17:23
  • Those are not encryption schemes they're password hashes, and they're all terrible. I found [this](https://github.com/hamano/openldap-pbkdf2) and [this](https://github.com/wclarie/openldap-bcrypt) with a quick search. PBKDF2 appears to have been added to the project's [source](https://github.com/winlibs/openldap/tree/master/contrib/slapd-modules/passwd/pbkdf2) as a module. – AndrolGenhald Feb 07 '18 at 17:32

0 Answers0