Password storage schemes, Caution, Table 3.3. password storage plugins – Red Hat 8.1 User Manual

3.1.25. Password Storage Schemes

The cn=Password Storage Schemes entry is a container entry, not a plug-in entry itself. All of the
plug-ins used for encryption are stored under this entry. The supported schemes change as new
encryption methods are added; to view the complete and current list, list the entries under
cn=Password Storage Schem es, cn=plugins, cn=config:

/usr/lib/mozldap/ldapsearch -D "cn=directory manager" -w secret12 -p 389 -b
"cn=Password Storage Schemes,cn=plugins, cn=config" -s sub (objectclass=*)

The different password storage scheme plug-ins are stored in entries named in the format:

cn=Storage Scheme Name Plugin,cn=Password Storage Schemes,cn=plugins,cn=config

For more information on using the different password storage schemes, see the "User Account
Management" chapter in the Directory Server Administrator's Guide.

CAUTION

Do not modify the configuration of the password scheme plug-ins. Red Hat recommends leaving
these plug-ins running at all times.

Table 3.3. Password Storage Plugins

Storage Scheme Name

Usage Notes

CLEAR

This encryption method is required for using
SASL.

CRYPT

This storage scheme is not very secure and is
included only for compatibility with legacy servers
and to allow migration.

DES

This encryption scheme is used only for
reversible encryption and is available for certain
plug-ins; this is not intended for password
storage.

MD5

This storage scheme is not very secure and is
included only for compatibility with legacy servers
and to allow migration.

NS-MTA-MD5

The NS-MTA-MD5 password storage scheme
cannot be used to encrypt passwords. The
storage scheme is still present for backward
compatibility for any entries stored in the directory
with passwords encrypted with the NS-MTA-MD5
password storage scheme.

SHA

If there are no passwords encrypted using the
SHA password storage scheme, this plug-in can
be turned off.
Instead of encrypting passwords with the SHA
password storage scheme, Red Hat recommends
choosing SSHA instead because it is more
secure.

SHA256

Use SHA256 or higher to encrypt passwords
because these are stronger encryption schemes.

SHA384

This storage scheme is recommended for
password storage because of its strength.

SHA512

This storage scheme is recommended for
password storage because of its strength.

SSHA

This is recommended instead of SHA because it
is a stronger encryption screen. However, Red
Hat recommends using at least the SSHA256
storage scheme or higher because these are
stronger schemes.

SSHA256

Use SSHA256 or higher to encrypt passwords
because these are stronger encryption schemes.

SSHA384

This storage scheme is recommended for
password storage because of its strength.

SSHA512

This storage scheme is recommended for
password storage because of its strength.

Red Hat Directory Server 8.1 Configuration and Command Reference

113