Does ONTAP support LDAP authentication using SHA2 hashes?
Applies to
- ONTAP 9
Answer
When using LDAP based authenticaion for admin users, ONTAP will retrieve the users hashed password from an LDAP server.
ONTAP currently supports hashes presented in the following formats:
- SHA1 hash, e.g
{SHA}Ib0S3Bg/dA7nbye3jrOcitlyp1c=
- SHA1 hash with salt, e.g
{SSHA}6kjRsXW28j3tI9QgAyqQZqMk5JF9baJA
- Unix /etc/shadow format, e.g.
{CRYPT}337wv58eeI9vU
In the latter example, the value has a "{CRYPT}" prefix and the remainder of ths string ("337wv58eeI9vU") is what would be found in /etc/shadow e.g. on a Linux system.
ONTAP supports SHA2 passwords as stored in linux /etc/shadow files, e.g.
- SHA256 without salt:
{CRYPT}$5$$6G6fqh7JbmWoA0UDAV4a9AWvIITTJX3z13yUnMs2/S9
- SHA256 with salt:
{CRYPT}$5$D8I8YSb5qp1JuR/M$WU3tC8sJEplhzjPdAGomBIEnWNIEAMlvWhx1UhbIXw
- SHA512 without salt:
{CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0
- SHA512 with salt:
{CRYPT}$6$rJx0V8y2xj6CsMiL$gu.wruOPQV/Dw0PI4CQv1gCwRbN/.2cKszer2mPX3td5x9qf.l9s.i6MVEmhOLdi/
JmRVMMQ0
Above the 5 or 6 between dollar signs indicates SHA256 and SHA512, respectively, and the salt is included between the second and third dollar sign.
The hash can be generated by any program that can output an appropriate value for /etc/shadow.
The following is using Python 3, run on a linux system to interface with the local crypt(3) function:
% python3
Python 3.6.8 (default, Apr 25 2019, 21:02:35)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import crypt, getpass
>>> passwd = getpass.getpass("Please enter password: ")
Please enter password:
>>> salt = crypt.mksalt(crypt.METHOD_SHA512)
>>> salted_hash = "{CRYPT}" + crypt.crypt(passwd, salt)
>>> print(salted_hash)
{CRYPT}$6$up5Ai00M1VGaFK6q$4yFNK.YUszogLFS.7IDiAW70RLC7BufwYhLEhPxTSSMRTJa2gFkWjhWBLvsdUGniYkTMmPmBu5SX4Y7tF7lys0
>>> unsalted_hash = "{CRYPT}" + crypt.crypt(passwd, "$6$")
>>> print(unsalted_hash)
{CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0
Note: Starting with ONTAP 9.7P9, ONTAP supports LDAP hashed values with prefixes of e.g. {SHA512}
or {SSHA512}
.
Additional Information
additionalInformation_text