How to use SHA-256 hashed (and salted) passwords from OpenLDAP in pam_ldap?

I have hashed and salted passwords in OpenLDAP for login via PAM in Linux. The setup works when the hashes are of type SHA-1 (salted or unsalted) or plain text. In these cases everything works fine and a user can login with these credentials.

If I switch to salted SHA-256 (SSHA-256) passwords, then the user can't login with the correct password. Probably pam_ldap does not understand SHA-256? I can't find any documentation stating this restriction, but also can't find configuration examples showing that it is possible.

What do I have to do? Configure/compile pam_ldap for SHA-256? Use something else than PAM?

I am forced to use salted SHA-256 as the credentials are already present in another (leading) datastore and have to be synchronized to OpenLDAP.

Solution 1:

see CRYPT function ? https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html

OpenLDAP pass-through authentication

OpenLDAP can also use external processes to verify and hash passwords. These schemes are:

CRYPT - will use the OS’ crypt library as a password handler SASL - will use Cyrus SASL as a password handler Cyrus SASL was last updated in 2012, but CRYPT is a part of the POSIX API and should be continuously updated. So - can CRYPT give us an up-to-date hash?

Crypt to the rescue

It turns out that Linux based glibc version of crypt support additional encryption schemes through an additional versioning scheme encoded in the password hash sometimes called the modular crypt format:

1 - MD5 2a - Blowfish / bcrypt 5 - SHA-256 6 - SHA-512