Freeradius doesn't support SSHA512. How can I change default zimbra hash back to SSHA?

[rahmanduran]

Hi,

With Zimbra 8.5 update new users and users that change password has SSHA512 hash in Zimbra LDAP. The problem is Freeradius does not support SSHA512 so these users can't authenticate with 802.1x wireless network (EAP-TTLS).

So How can I change the default zimbra hash back to SSHA?

[metux]

Havent checked freeradius, whether it really doesnt support sha512. But it really should do - so, it the correct way is to fix it.

[rahmanduran]

It does support SHA512 but zimbra uses SSHA512 witch freeradius does not support.

> But it really should do - so, it the correct way is to fix it.

Really? We have a problem now. So it is not an option to wait for freeradius to support SSHA512. We need to fix it right now and only option is to make zimbra use SSHA hash.



Does Zimbra team hardcoded it in their code? If not why don't they provide a workaround or why they did not make it optional and break working systems.

[dlane.ire]

We are also facing a problem where SSHA512 is breaking existing systems. Is it possible to configure the password encoding in Zimbra? I can't find anything in the docs.

[Klug]

Actually (there are a couple of threads in the last weeks about this iirc), you should not authenticate other apps/services against Zimbra's LDAP.

If you want to authenticate several things against a single directory, you should setup a a standalone LDAP server, create your users in this directory and authenticate everything (including Zimbra) against it.

[dlane.ire]

Thanks for the reply. This is something I will take on board and try to put in place in the future. But for right now we have users unable to login to a system that only supports {sha} and {ssha}, the {ssha512} is breaking the auth process. Is it possible to change the password encoding via config so I can get the users back in? I can look at an LDAP re-org afterwards.