[Freeipa-users] Password Attribute Syncing Support

[Walter Meyer]

Thanks for all of the tips. I am wondering what the best way to modify
the ldap (so I can change the password scheme) is. I tried getting the
389-console utility setup to connect but was unsuccesful. Should I
just use the command line ldap tools?

On Mar 19, 2010, at 4:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Walter Meyer wrote:
>> I will see if Salted SHA1 is supported and maybe Google hasn't
>> documented it yet. If not, the sync is done with the Google Servers
>> over SSL. And if only the Directory Manager can read the
>> userPassword attribute, would storing the userPassword attribute in
>> SHA1 be that insecure? What scenario could the passwords be
>> compromised if I went with this setup? Unless the Directory Manager
>> account was compromised wouldn't this be secure if all of the data
>> was being transmitted over SSL?
>> Also all logins to Google Apps are encrypted with SSL.
>
> Ok, the SSL usage makes me feel better. Using a weaker password
> encryption scheme isn't ideal but if you are protecting transmission
> of it you are probably ok. The risk is that if somehow the hash did
> get exposed it is relatively easier to crack it than a salted hash.
> Risk is something you'll need to weigh specific to your environment,
> this may be acceptable. It doesn't make my alarm bells go off but
> I'm a pretty laid back guy :-)
>
> In fact, this would be very cool if it worked. You might want to
> file an RFE with the nice folks at Google to see if they'll support
> salted hashes if they don't now and potentially move to a more
> secure environment later.
>
> As Simo pointed out you'll want to modify the default password
> encryption scheme before adding your users so you don't have to
> force round after round of password changes on them.
>
> If you decide to try it out let us know how it works.
>
> cheers
>
> rob