diff --git a/README.md b/README.md
index 0f9bc49..bff7ce4 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`
 
 ## Available parameters
 
-These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat.
+These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
 
 #### portal_domain
 
@@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)
 
 User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
 
+#### ldap_enforce_crypt
+
+Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
+
 #### allow_mail_authentication
 
 Whether users can authenticate with their mail address (**default**: `true`)
diff --git a/config.lua b/config.lua
index c0359ae..e2dcb55 100644
--- a/config.lua
+++ b/config.lua
@@ -50,6 +50,8 @@ function get_config()
         ldap_host                 = "localhost",
         ldap_group                = "ou=users,dc=yunohost,dc=org",
         ldap_identifier           = "uid",
+        ldap_enforce_crypt        = true,
+        skipped_urls              = {},
         ldap_attributes           = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
         allow_mail_authentication = true,
         default_language          = "en"
diff --git a/helpers.lua b/helpers.lua
index ea7f67b..6981a7a 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -293,7 +293,9 @@ function authenticate(user, password)
     -- cache shared table in order to eventually reuse it later when updating
     -- profile information or just passing credentials to an application.
     if connected then
-        ensure_user_password_uses_strong_hash(connected, user, password)
+        if conf['ldap_enforce_crypt'] then
+            ensure_user_password_uses_strong_hash(connected, user, password)
+        end
         cache:add(user.."-password", password, conf["session_timeout"])
         ngx.log(ngx.NOTICE, "Connected as: "..user)
         return user
@@ -575,12 +577,13 @@ end
 -- if it's not the case, it migrates the password to this new hash algorithm
 function ensure_user_password_uses_strong_hash(ldap, user, password)
     local current_hashed_password = nil
+    conf = config.get_config()
 
     for dn, attrs in ldap:search {
-        base = "ou=users,dc=yunohost,dc=org",
+        base = conf['ldap_group'],
         scope = "onelevel",
         sizelimit = 1,
-        filter = "(uid="..user..")",
+        filter = "("..conf['ldap_identifier'].."="..user..")",
         attrs = {"userPassword"}
     } do
         current_hashed_password = attrs["userPassword"]:sub(0, 10)