What password hash algorithm does ldap use?

[simonleung]

I want to change the passwords of Zimbra 10 mailboxes on Roundcube webmail. How does ldap hash the passwords? Should I use ssha512 password hash in the configuration file of Roundcube?

[ghen]

Ideally you shouldn't provision password hashes to LDAP, but passwords straight (using Zimbra setPassword / LDAP Password Modify call), and let LDAP hash them.

That said, yes, Zimbra's OpenLDAP uses SSHA512 (salted SHA2-512) by default.

I've posted pull requests for Zimbra's OpenLDAP 2.4 and 2.5 to make it support Argon2 as well, but that still hasn't been enabled by default yet.

[simonleung]

Ideally you shouldn't provision password hashes to LDAP, but passwords straight (using Zimbra setPassword / LDAP Password Modify call), and let LDAP hash them.

That said, yes, Zimbra's OpenLDAP uses SSHA512 (salted SHA2-512) by default.

I've posted pull requests for Zimbra's OpenLDAP 2.4 and 2.5 to make it support Argon2 as well, but that still hasn't been enabled by default yet.

Actually, I have configured the password plugin of Roundcube to provision clear password to LDAP as follows.

$config['password_algorithm'] = 'clear';
$config['password_ldap_encodage'] = 'clear';

After, I could change the password and found the message in the log file as follows.

[18-Nov-2025 17:43:22 +0800]: <ei2fujkb> Password changed for user user@test.com (ID: 1) from 123.123.123.123

After changing the password, however, I could not login Roundcube webmail and found the error in the log file as follows.

[20-Nov-2025 15:55:41 +0800]: <ahfan269> IMAP Error: Login failed for user@test.com against mail.test.com from 123.123.123.123. AUTHENTICATE PLAIN: AUTHENTICATE failed in /var/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 211 (POST /?_task=login&_action=login)

So, I wonder if there is problem with the password hash.