Password hashes in the directory service
3.7. Password hashes in the directory service#
User password hashes are stored in the directory service in the
attribute. The crypt library function is used to hash passwords. The
actual hashing method can be configured via the Univention Configuration Registry Variable
SHA-512 is used by default.
As an alternative Univention Corporate Server (from version UCS 4.4 erratum 887 on) offers the
option of using bcrypt as hashing method for passwords of user
accounts. To activate bcrypt support in OpenLDAP the Univention Configuration Registry Variable
ldap/pw-bcrypt has to bet set to
true on all LDAP servers.
Otherwise it is not possible authenticate with a bcrypt hash as
password hash. Additionally the Univention Configuration Registry Variable
to be set to
true, again on all servers, to activate bcrypt as
the hashing method for setting or changing user password.
In addition, the bcrypt cost factor and the
bcrypt variant can be configured via the
Univention Configuration Registry Variables
bcrypt is limited to a maximum of 72 characters. So only the first 72 characters of the password are used to generate the hashes.