Skip to main content
NetApp Knowledgebase

Does ONTAP support LDAP authentication using SHA2 hashes?

Views:
57
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9

Answer

When using LDAP based authenticaion for admin users, ONTAP will retrieve the users hashed password from an LDAP server.


ONTAP currently supports hashes presented in the following formats:

  • SHA1 hash, e.g {SHA}Ib0S3Bg/dA7nbye3jrOcitlyp1c=
  • SHA1 hash with salt, e.g {SSHA}6kjRsXW28j3tI9QgAyqQZqMk5JF9baJA
  • Unix /etc/shadow format, e.g. {CRYPT}337wv58eeI9vU

In the latter example, the value has a "{CRYPT}" prefix and the remainder of ths string ("337wv58eeI9vU") is what would be found in /etc/shadow e.g. on a Linux system.
 

ONTAP supports SHA2 passwords as stored in linux /etc/shadow files, e.g.

  • SHA256 without salt: {CRYPT}$5$$6G6fqh7JbmWoA0UDAV4a9AWvIITTJX3z13yUnMs2/S9
  • SHA256 with salt: {CRYPT}$5$D8I8YSb5qp1JuR/M$WU3tC8sJEplhzjPdAGomBIEnWNIEAMlvWhx1UhbIXw
  • SHA512 without salt: {CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0
  • SHA512 with salt:{CRYPT}$6$rJx0V8y2xj6CsMiL$gu.wruOPQV/Dw0PI4CQv1gCwRbN/.2cKszer2mPX3td5x9qf.l9s.i6MVEmhOLdi/JmRVMMQ0

Above the 5 or 6 between dollar signs indicates SHA256 and SHA512, respectively, and the salt is included between the second and third dollar sign.

The hash can be generated by any program that can output an appropriate value for /etc/shadow.
The following is using Python 3, run on a linux system to interface with the local crypt(3) function:

% python3
Python 3.6.8 (default, Apr 25 2019, 21:02:35)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import crypt, getpass
>>> passwd = getpass.getpass("Please enter password: ")
Please enter password:
>>> salt = crypt.mksalt(crypt.METHOD_SHA512)
>>> salted_hash = "{CRYPT}" + crypt.crypt(passwd, salt)
>>> print(salted_hash)
{CRYPT}$6$up5Ai00M1VGaFK6q$4yFNK.YUszogLFS.7IDiAW70RLC7BufwYhLEhPxTSSMRTJa2gFkWjhWBLvsdUGniYkTMmPmBu5SX4Y7tF7lys0
>>> unsalted_hash = "{CRYPT}" + crypt.crypt(passwd, "$6$")
>>> print(unsalted_hash)
{CRYPT}$6$$VCSoGjn22d.ifTNEaijGbMMSqajTedh/HYPnOkuj0ky3sAiCCIx.rMZj8d20v2qil5zCOZF21zmm959VQVcEl0


At the present time, ONTAP does not support LDAP hashed values with prefixes of e.g. "{SHA512}" or "{SSHA512}".

Additional Information

additionalInformation_text