[gopaz]

Can someone recommend a product (open source) that supports: * ldap * multiple password hashes per person, or some other way to keep different hash-functions of the password ( ldap supports this) * saml/shibboleth or openid connect (preferably both) * export all users and password hashes (I guess ldap supports this natively)

Want to replace a legacy openldap installation with something more modern and future proof, but need to keep supporting a couple of old systems that won't go away for a long time.

[sk5t]

If you're really married to the idea of "keep different hash-functions of the password ( ldap supports this)" then I think you are going to have a tough time without really digging into candidate products' customization hooks or considering some manner of virtual directory. IME maintaining multiple password hashes is not at all a common LDAP server feature. Many products will stand in your way of exporting password hashes (just try and wrest this info from Active Directory or Auth0) and you may not be able to control the hash algorithm besides.

[jeroenhd]

I've been considering setting up a Gluu [1] instance for some of my services. It supposedly supports LDAP as well as OpenID and Oauth2 for authentication as well as RADIUS. From what I can tell, this would fit your use case perfectly fine. It's available as open source software but the company behind it is selling it as well in case you'd like a support contract.

Note that I haven't set it up myself yet, it's still on my ever-growing list of "tools I have to take a good look at sometime in the future". It does seem like a very good piece of software though.

[1] https://www.gluu.org/

[SEJeff]

Just want to say that I've met the lead developer of Gluu randomly at a gitlab hackathon / party in portland. It seems like they've got a really nice product and he was extremely knowledgeable along with very likable.

I've never used it, but if I needed to do something like the GP asked, I'd definitely give it a look.

[folmar]

Keep ldap as backend and use Keycloak for saml, oidc, user-facing console etc. Openldap is not going anywhere and keeping multiple hashes is not a commn feature.

If it's enough you can plug in any hash algorithm into keycloak.

[snuxoll]

When it comes to LDAP integration keycloak doesn't even store the password hashes itself, it sends them straight to the LDAP server to be hashed on both update and login.

Generally speaking you never, ever want to pull password hashes out of your LDAP server - and most will fight you tooth and nail when you try.