Skip to main content
NetApp Knowledge Base

Does ONTAP support LDAP authentication using SHA2 hashes?

Views:
466
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9

Answer

When using LDAP based authenticaion for admin users, ONTAP will retrieve the users hashed password from an LDAP server.


ONTAP currently supports hashes presented in the following formats:

  • SHA1 hash, e.g {SHA}Ib0S3Bg/dA7nbye3jrOcitlyp1c=
  • SHA1 hash with salt, e.g {SSHA}6kjRsXW28j3tI9QgAyqQZqMk5JF9baJA
  • Unix /etc/shadow format, e.g. {CRYPT}337wv58eeI9vU

In the latter example, the value has a "{CRYPT}" prefix and the remainder of ths string ("337wv58eeI9vU") is what would be found in /etc/shadow e.g. on a Linux system.
 

ONTAP supports SHA2 passwords as stored in linux /etc/shadow files, e.g.

  • SHA256 without salt: {CRYPT}$5$$6G6fqh7JbmWoA0UDAV4a9AWvIITTJX3z13yUnMs2/S9
  • SHA256 with salt: {CRYPT}$5$D8I8YSb5qp1JuR/M$WU3tC8sJEplhzjPdAGomBIEnWNIEAMlvWhx1UhbIXw
  • SHA512 without salt: {CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0
  • SHA512 with salt:{CRYPT}$6$rJx0V8y2xj6CsMiL$gu.wruOPQV/Dw0PI4CQv1gCwRbN/.2cKszer2mPX3td5x9qf.l9s.i6MVEmhOLdi/JmRVMMQ0

Above the 5 or 6 between dollar signs indicates SHA256 and SHA512, respectively, and the salt is included between the second and third dollar sign.

The hash can be generated by any program that can output an appropriate value for /etc/shadow.
The following is using Python 3, run on a linux system to interface with the local crypt(3) function:

% python3
Python 3.6.8 (default, Apr 25 2019, 21:02:35)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import crypt, getpass
>>> passwd = getpass.getpass("Please enter password: ")
Please enter password:
>>> salt = crypt.mksalt(crypt.METHOD_SHA512)
>>> salted_hash = "{CRYPT}" + crypt.crypt(passwd, salt)
>>> print(salted_hash)
{CRYPT}$6$up5Ai00M1VGaFK6q$4yFNK.YUszogLFS.7IDiAW70RLC7BufwYhLEhPxTSSMRTJa2gFkWjhWBLvsdUGniYkTMmPmBu5SX4Y7tF7lys0
>>> unsalted_hash = "{CRYPT}" + crypt.crypt(passwd, "$6$")
>>> print(unsalted_hash)
{CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0


Note: Starting with ONTAP 9.7P9, ONTAP supports LDAP hashed values with prefixes of e.g. {SHA512} or {SSHA512}.

Additional Information

additionalInformation_text

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
  • Was this article helpful?