Increasing security of openldap password hashing

I’ve been trying to figure out how to change the hashing method of openldap from SHA to something more secure (specifically SHA2). After spending hours trying to custom compile it with a special overlay I found out how to use the unix crypt command. Of course, the instructions were for slapd.conf, not for olc.
It’s pretty straightforward, just add the following 2 lines to slapd.d/cn=config/olcDatabase={-1}frontend.ldif

olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"

This will of course break all of your passwords, so be careful.

Leave a comment

Your email address will not be published. Required fields are marked *