3.7. Password hashes in the directory service#

User password hashes are stored in the directory service in the userPassword attribute. The crypt library function is used to hash passwords. The actual hashing method can be configured via the Univention Configuration Registry Variable password/hashing/method, SHA-512 is used by default.

As an alternative Univention Corporate Server (from version UCS 4.4 erratum 887 on) offers the option of using bcrypt as hashing method for passwords of user accounts. To activate bcrypt support in OpenLDAP the Univention Configuration Registry Variable ldap/pw-bcrypt has to bet set to true on all LDAP servers. Otherwise it is not possible authenticate with a bcrypt hash as password hash. Additionally the Univention Configuration Registry Variable password/hashing/bcrypt has to be set to true, again on all servers, to activate bcrypt as the hashing method for setting or changing user password.

In addition, the bcrypt cost factor and the bcrypt variant can be configured via the Univention Configuration Registry Variables password/hashing/bcrypt/cost_factor (default 12) and password/hashing/bcrypt/prefix (default 2b).

Caution

bcrypt is limited to a maximum of 72 characters. So only the first 72 characters of the password are used to generate the hashes.