I have deployed a FreeIPA identity solution which is backed inside by a 389 directory server.
Due to the need of periodically syncing user passwords to another platform (Google Apps for Work), I need the user account storage schemes to be SHA1 instead of SSHA (salted SHA).
I could easily switch the passwordStorageScheme to SHA, but I don't know if IPA relies on the password being SSHA and I would break something, so:
- Can I 'happily' switch from SSHA to SHA passwordStorageScheme withouth breaking anything?
- Instead of that, can I configure 389 to save an additional hash in a custom attribute (lets say, 'userPasswordSHA'), each time a password changes, so I can easily dispose of both?
