2012-05-23 21:23:06 -04:00
|
|
|
SHA-2 OpenLDAP support
|
|
|
|
|
----------------------
|
2009-01-25 23:08:34 -05:00
|
|
|
|
2012-05-23 21:23:06 -04:00
|
|
|
slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
|
|
|
|
|
SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
|
|
|
|
|
instance, one could have the LDAP attribute:
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
|
|
|
|
|
|
|
|
|
|
or:
|
|
|
|
|
|
|
|
|
|
userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
|
|
|
|
|
|
|
|
|
|
or:
|
|
|
|
|
|
|
|
|
|
userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
|
|
|
|
|
|
all of which encode the password 'secret'.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Building
|
|
|
|
|
--------
|
|
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
|
2009-01-25 23:08:34 -05:00
|
|
|
source root.
|
|
|
|
|
|
2012-06-14 13:15:48 -04:00
|
|
|
For initial testing you might also want to edit DEFS to define
|
2009-01-25 23:08:34 -05:00
|
|
|
SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
|
|
|
|
|
in production, as it prints passwords in cleartext).
|
|
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
2) Run 'make' to produce slapd-sha2.so
|
2009-01-25 23:08:34 -05:00
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
3) Copy slapd-sha2.so somewhere permanent.
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
|
|
|
|
|
|
|
|
|
|
moduleload ...path/to/slapd-sha2.so
|
|
|
|
|
|
|
|
|
|
5) Restart slapd.
|
|
|
|
|
|
2010-03-03 18:56:30 -05:00
|
|
|
|
|
|
|
|
Configuring
|
|
|
|
|
-----------
|
|
|
|
|
|
2012-05-23 21:23:06 -04:00
|
|
|
The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512}
|
|
|
|
|
password schemes should now be recognised.
|
2010-03-03 18:56:30 -05:00
|
|
|
|
|
|
|
|
You can also tell OpenLDAP to use one of these new schemes when processing LDAP
|
|
|
|
|
Password Modify Extended Operations, thanks to the password-hash option in
|
|
|
|
|
slapd.conf. For example:
|
|
|
|
|
|
2012-05-23 21:23:06 -04:00
|
|
|
password-hash {SSHA512}
|
2010-03-03 18:56:30 -05:00
|
|
|
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
Testing
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
A quick way to test whether it's working is to customize the rootdn and
|
|
|
|
|
rootpw in slapd.conf, eg:
|
|
|
|
|
|
|
|
|
|
rootdn "cn=admin,dc=example,dc=com"
|
2012-05-23 21:23:06 -04:00
|
|
|
# This encrypts the string 'secret'
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
|
|
|
|
|
|
Then to test, run something like:
|
|
|
|
|
|
|
|
|
|
ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- Test hashes:
|
|
|
|
|
|
|
|
|
|
Test hashes can be generated with openssl:
|
|
|
|
|
|
|
|
|
|
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
|
|
|
|
|
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
|
$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
|
|
|
|
|
WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
|
2012-05-23 21:23:06 -04:00
|
|
|
$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
|
2009-01-25 23:08:34 -05:00
|
|
|
vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
|
|
|
|
|
W192CF5bDufKRpayrW/isg==
|
|
|
|
|
|
|
|
|
|
(join those lines up to form the full hash)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Alternatively we could modify an existing user's password with
|
2012-05-23 21:23:06 -04:00
|
|
|
ldappasswd, and then test binding as that user:
|
2009-01-25 23:08:34 -05:00
|
|
|
|
2012-05-23 21:23:06 -04:00
|
|
|
$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com
|
|
|
|
|
New password: secret
|
|
|
|
|
Re-enter new password: secret
|
|
|
|
|
Enter LDAP Password: <cn=admin's password>
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
|
|
|
|
|
|
|
|
|
|
|
2012-05-23 21:23:06 -04:00
|
|
|
Debugging (SHA-512, SHA-384 and SHA-256 only)
|
|
|
|
|
---------------------------------------------
|
2009-01-25 23:08:34 -05:00
|
|
|
|
|
|
|
|
To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
|
2012-06-14 13:15:48 -04:00
|
|
|
commented-out DEFS in Makefile), and then run slapd from the console
|
2009-01-25 23:08:34 -05:00
|
|
|
to see stderr:
|
|
|
|
|
|
|
|
|
|
$ sudo /etc/init.d/slapd stop
|
|
|
|
|
Stopping OpenLDAP: slapd.
|
2012-05-23 21:23:06 -04:00
|
|
|
$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats
|
2009-01-25 23:08:34 -05:00
|
|
|
@(#) $OpenLDAP$
|
|
|
|
|
buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
|
|
|
|
|
slapd starting
|
|
|
|
|
...
|
|
|
|
|
Validating password
|
2012-05-23 21:23:06 -04:00
|
|
|
Hash scheme: {SHA256}
|
|
|
|
|
Password to validate: secret
|
|
|
|
|
Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
|
Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
|
Result: match
|
2009-01-25 23:08:34 -05:00
|
|
|
conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
|
|
|
|
|
conn=0 op=0 RESULT tag=97 err=0 text=
|
|
|
|
|
conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
|
|
|
|
|
conn=0 fd=12 closed (connection lost)
|
|
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
---
|
|
|
|
|
|
|
|
|
|
This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
|
|
|
2017-01-03 15:36:47 -05:00
|
|
|
Copyright 2009-2017 The OpenLDAP Foundation.
|
2009-08-17 20:49:15 -04:00
|
|
|
All rights reserved.
|
|
|
|
|
|
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
|
|
|
modification, are permitted only as authorized by the OpenLDAP
|
|
|
|
|
Public License.
|
|
|
|
|
|
|
|
|
|
A copy of this license is available in the file LICENSE in the
|
|
|
|
|
top-level directory of the distribution or, alternatively, at
|
|
|
|
|
<http://www.OpenLDAP.org/license.html>.
|
2009-01-25 23:08:34 -05:00
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
---
|
2009-01-25 23:08:34 -05:00
|
|
|
|
2009-08-17 20:49:15 -04:00
|
|
|
ACKNOWLEDGEMENT:
|
|
|
|
|
This work was initially developed by Jeff Turner for inclusion in
|
2012-06-14 13:15:48 -04:00
|
|
|
OpenLDAP Software, based upon the SHA-2 implementation independently
|
2009-08-17 20:49:15 -04:00
|
|
|
developed by Aaron Gifford.
|
2009-01-25 23:08:34 -05:00
|
|
|
|
