Commit 1325dff1 authored by ale's avatar ale

Add documentation on the encoding of password fields

parent 66ca475f
Pipeline #4510 passed with stages
in 1 minute and 59 seconds
......@@ -160,8 +160,10 @@ user, with the following attributes:
* `name` is the username
* `email` is the email associated with the user (optional)
* `password` stores the encrypted password
* `password` stores the encrypted password, see *Password Encoding*
below for details on the supported algorithms etc.
* `totp_secret` stores the *unencrypted* TOTP secret seed
* `u2f_registrations` is a list of U2F registrations with `key_handle`
and `public_key` attributes, in the format used by *pamu2fcfg* (for
......@@ -209,8 +211,10 @@ LDAP attributes). The following attribute names are defined:
* `password` contains the encrypted password. Since this attribute is
often also used for authentication of the LDAP protocol itself, an
eventual `{crypt}` prefix is ignored. Passwords should be encrypted.
* `otp_secret` should contain the hex-encoded TOTP secret
eventual `{crypt}` prefix is ignored. Passwords should be encrypted,
see *Password Encoding* below for details on the supported
algorithms etc.
* `otp_secret` should contain the base32-encoded TOTP secret
* `app_specific_password` (possibly repeated) contains an encrypted
app-specific password
......@@ -409,3 +413,28 @@ Responses will contain the following attributes:
* `email`: email of this user
* `groups`: groups the user is a member of.
### Password encoding
Multiple password hashing algorithms are supported. The format is the
well-known dollar-separated field string, extended with optional
algorithm-specific parameters:
where the optional *params* field is itself a dollar-separated list of
All *id* values understood by the libc *crypt(3)* function are
supported, as well as a few more custom algorithms:
* Scrypt (id `$s$`), in which case the parameters are *N*, *R* and
* Argon2 (id `$a2$`), with parameters *time*, *memory* and
Check the documentation for these algorithms for an explanation of the
meaning of the parameters. Each algorithm has different requirements
for the salt.
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment