Import crypt salt format and misc manual page updates from HEAD

CHANGES

@@ -10,6 +10,7 @@ OpenLDAP 2.0.12 Engineering
 	Added slapd modrdn children check (ITS#1053,1192)
 	Added slapd sb_max_incoming_auth support (ITS#1181)
 	Added slapd DB_ENV support
+	Added slapd crypt salt format support (ITS#1202)
 	Updated slapd schema check handling
 	Updated ldbm to use BerkeleyDB's CDB (ITS#1176)
 	Updated slapd filter checks

doc/man/man3/ldap.3

@@ -91,12 +91,6 @@ The
 routines can be used test a URL to see if it is an LDAP URL, to parse LDAP
 URLs into their component pieces, and to initiate searches directly using
 an LDAP URL.
-.SH USER FRIENDLY NAMING
-The
-.BR ldap_ufn (3)
-routines implement a user friendly naming
-scheme via LDAP.  This scheme allows you to look up entries
-using fuzzy, untyped names like "john smith, example corp, ca, us".
 .SH CACHING
 The
 .BR ldap_cache (3)
@@ -310,9 +304,6 @@ convert a DN into its component parts
 .SM ldap_explode_rdn(3)
 convert a RDN into its component parts
 .TP
-.SM ldap_dn2ufn(3)
-convert a DN into user friendly form
-.TP
 .SM ldap_get_values(3)
 return an attribute's values
 .TP
@@ -391,24 +382,6 @@ synchronously search the directory
 .SM ldap_search_st(3)
 synchronously search the directory with timeout
 .TP
-.SM ldap_ufn_search_s(3)
-user friendly search the directory
-.TP
-.SM ldap_ufn_search_c(3)
-user friendly search the directory with cancel
-.TP
-.SM ldap_ufn_search_ct(3)
-user friendly search the directory with cancel and timeout
-.TP
-.SM ldap_ufn_setfilter(3)
-set filter file used by ldap_ufn(3) routines
-.TP
-.SM ldap_ufn_setprefix(3)
-set prefix used by ldap_ufn(3) routines
-.TP
-.SM ldap_ufn_timeout(3)
-set timeout used by ldap_ufn(3) routines
-.TP
 .SM ldap_is_ldap_url(3)
 check a URL string to see if it is an LDAP URL
 .TP

doc/man/man3/ldap_bind.3

@@ -3,7 +3,7 @@
 .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
-ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s, ldap_set_rebind_proc \- LDAP bind routines
+ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s \- LDAP bind routines
 .SH SYNOPSIS
 .nf
 .ft B
@@ -74,12 +74,12 @@ LDAP *ld;
 int ldap_unbind_s(ld)
 .ft
 LDAP *ld;
-.LP
-.ft B
-void ldap_set_rebind_proc( ld, rebindproc )
-.ft
-LDAP *ld;
-int (*rebindproc)();
+.\" .LP
+.\" .ft B
+.\" void ldap_set_rebind_proc( ld, rebindproc )
+.\" .ft
+.\" LDAP *ld;
+.\" int (*rebindproc)();
 .SH DESCRIPTION
 .LP
 These routines provide various interfaces to the LDAP bind operation.
@@ -154,38 +154,38 @@ The
 call is just another name for
 .BR ldap_unbind() ;
 both of these calls are synchronous in nature.
-.SH RE-BINDING WHILE FOLLOWING REFERRALS
-The
-.B ldap_set_rebind_proc()
-call is used to set a routine that will be called back to obtain bind
-credentials used when a new server is contacted during the following of
-an LDAP referral.  Note that this function is only available when the
-LDAP libraries are compiled with LDAP_REFERRALS defined and is only
-used when the ld_options field in the LDAP structure has
-LDAP_OPT_REFERRALS set (this is the default).  If
-.B ldap_set_rebind_proc()
-is never called, or if it is called with a NULL \fIrebindproc\fP
-parameter, an unauthenticated simple LDAP bind will always be done
-when chasing referrals.
-.LP
-\fIrebindproc\fP should be a function that is declared like this:
-.LP
-.nf
-int rebindproc( LDAP *ld, char **whop, char **credp,
-    int *methodp, int freeit );
-.fi
-.LP
-The LDAP library will first call the rebindproc to obtain the
-referral bind credentials, and the \fIfreeit\fP parameter will be
-zero.  The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be
-set as appropriate.  If the rebindproc returns LDAP_SUCCESS, referral
-processing continues, and the rebindproc will be called a second
-time with \fIfreeit\fP non-zero to give your application a chance to
-free any memory allocated in the previous call.
-.LP
-If anything but LDAP_SUCCESS is returned by the first call to
-the rebindproc, then referral processing is stopped and that error code
-is returned for the original LDAP operation.
+.\" .SH RE-BINDING WHILE FOLLOWING REFERRALS
+.\" The
+.\" .B ldap_set_rebind_proc()
+.\" call is used to set a routine that will be called back to obtain bind
+.\" credentials used when a new server is contacted during the following of
+.\" an LDAP referral.  Note that this function is only available when the
+.\" LDAP libraries are compiled with LDAP_REFERRALS defined and is only
+.\" used when the ld_options field in the LDAP structure has
+.\" LDAP_OPT_REFERRALS set (this is the default).  If
+.\" .B ldap_set_rebind_proc()
+.\" is never called, or if it is called with a NULL \fIrebindproc\fP
+.\" parameter, an unauthenticated simple LDAP bind will always be done
+.\" when chasing referrals.
+.\" .LP
+.\" \fIrebindproc\fP should be a function that is declared like this:
+.\" .LP
+.\" .nf
+.\" int rebindproc( LDAP *ld, char **whop, char **credp,
+.\" int *methodp, int freeit );
+.\" .fi
+.\" .LP
+.\" The LDAP library will first call the rebindproc to obtain the
+.\" referral bind credentials, and the \fIfreeit\fP parameter will be
+.\" zero.  The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be
+.\" set as appropriate.  If the rebindproc returns LDAP_SUCCESS, referral
+.\" processing continues, and the rebindproc will be called a second
+.\" time with \fIfreeit\fP non-zero to give your application a chance to
+.\" free any memory allocated in the previous call.
+.\" .LP
+.\" If anything but LDAP_SUCCESS is returned by the first call to
+.\" the rebindproc, then referral processing is stopped and that error code
+.\" is returned for the original LDAP operation.
 .SH ERRORS
 Asynchronous routines will return -1 in case of error, setting the
 \fIld_errno\fP parameter of the \fIld\fP structure.  Synchronous

doc/man/man3/ldap_bind.3.links

@@ -12,4 +12,3 @@ ldap_unbind.3
 ldap_unbind_ext.3
 ldap_unbind_s.3
 ldap_unbind_ext_s.3
-ldap_set_rebind_proc.3

doc/man/man3/ldap_cache.3

@@ -52,7 +52,9 @@ unsigned long	opts;
 .fi
 .SH DESCRIPTION
 .LP
-These routines are used to control the behavior of client caching of
+These routines are used to control the behavior of the
+.B experimental
+client caching of
 .BR ldap_search (3)
 and
 .BR ldap_compare (3)

doc/man/man5/slapd.conf.5

@@ -247,6 +247,20 @@ and
 The default is
 .BR {SSHA} .
 .TP
+.B password-crypt-salt-format <format>
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.  
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./].  For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt.  The default is "%s", which
+provides 31 characters of salt.
+.TP
 .B pidfile <filename>
 The ( absolute ) name of a file that will hold the 
 .B slapd

doc/man/man8/slappasswd.8

@@ -10,6 +10,7 @@ slappasswd \- OpenLDAP password utility
 .B [\-u]
 .B [\-s secret]
 .B [\-h hash]
+.B [\-c salt-format]
 .B 
 .LP
 .SH DESCRIPTION
@@ -21,13 +22,14 @@ suitable for use with
 or
 .BR slapd.conf (5)
 .I rootpw
-coniguration directive.
+configuration directive.
 .SH OPTIONS
 .TP
 .B \-v
 enable verbose mode.
+.TP
 .B \-u
-generate RFC2307 userPassword values (the default).  Future
+Generate RFC2307 userPassword values (the default).  Future
 versions of this program may generate alternative syntaxes
 by default.  This option is provided for forward compatibility.
 .TP
@@ -35,6 +37,7 @@ by default.  This option is provided for forward compatibility.
 The secret to hash.  If not provided, the user will be prompted
 for the secret to hash.
 .TP
+.BI \-h " scheme"
 If -h is specified, one of the following RFC2307 schemes may
 be specified:
 .IR {CRYPT} ,
@@ -44,7 +47,20 @@ be specified:
 .IR {SHA} .
 The default is 
 .IR {SSHA} .
-.LP
+.TP
+.BI \-c " crypt-salt-format"
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.  
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./].  For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt.  The default is "%s", which
+provides 31 characters of salt.
 .SH LIMITATIONS
 The practice storing hashed passwords in userPassword violates
 Standard Track (RFC2256) schema specifications and may hinder

include/lutil.h

@@ -95,6 +95,10 @@ LDAP_LUTIL_F( int )
 lutil_passwd_scheme LDAP_P((
 	const char *scheme ));
 
+LDAP_LUTIL_F( int )
+lutil_salt_format LDAP_P((
+	const char *format ));
+
 /* utils.c */
 LDAP_LUTIL_F( char* )
 lutil_progname LDAP_P((

libraries/liblutil/passwd.c

@@ -57,6 +57,10 @@
 static const unsigned char crypt64[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
 
+#ifdef SLAPD_CRYPT
+static const char *salt_format = NULL;
+#endif
+
 struct pw_scheme;
 
 typedef int (*PASSWD_CHK_FUNC)(
@@ -1017,7 +1021,7 @@ static struct berval *hash_crypt(
 	const struct berval *passwd )
 {
 	struct berval hash;
-	unsigned char salt[3];
+	unsigned char salt[32];	/* salt suitable for most anything */
 	int i;
 
 	for( i=0; i<passwd->bv_len; i++) {
@@ -1030,13 +1034,22 @@ static struct berval *hash_crypt(
 		return NULL;	/* passwd must behave like a string */
 	}
 
-	if( lutil_entropy( salt, sizeof(salt)) < 0 ) {
+	if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) {
 		return NULL; 
 	}
 
-	salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ];
-	salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ];
-	salt[2] = '\0';
+	for( i=0; i< ( sizeof(salt) - 1 ); i++ ) {
+		salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ];
+	}
+	salt[sizeof( salt ) - 1 ] = '\0';
+
+	if( salt_format != NULL ) {
+		/* copy the salt we made into entropy before snprintfing
+		   it back into the salt */
+		char entropy[sizeof(salt)];
+		strcpy( entropy, salt );
+		snprintf( salt, sizeof(entropy), salt_format, entropy );
+	}
 
 	hash.bv_val = crypt( passwd->bv_val, salt );
 
@@ -1051,3 +1064,14 @@ static struct berval *hash_crypt(
 	return pw_string( scheme, &hash );
 }
 #endif
+
+int lutil_salt_format(const char *format)
+{
+#ifdef SLAPD_CRYPT
+	free(salt_format);
+
+	salt_format = format != NULL ? strdup(format) : NULL;
+#endif
+
+	return 0;
+}

servers/slapd/config.c

@@ -320,6 +320,17 @@ read_config( const char *fname )
 				default_passwd_hash = ch_strdup( cargv[1] );
 			}
 
+		} else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 ) 
+		{
+			if ( cargc < 2 ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: missing format in "
+					"\"password-crypt-salt-format <format>\" line\n",
+				    fname, lineno, 0 );
+				return 1;
+			}
+
+			lutil_salt_format( cargv[1] );
+
 		/* set SASL host */
 		} else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
 			if ( cargc < 2 ) {

servers/slapd/tools/slappasswd.c

@@ -31,6 +31,7 @@ usage(const char *s)
 		"Usage: %s [options]\n"
 		"  -h hash\tpassword scheme\n"
 		"  -s secret\tnew password\n"
+		"  -c format\tcrypt(3) salt format\n"
 		"  -u\t\tgenerate RFC2307 values (default)\n"
 		"  -v\t\tincrease verbosity\n"
 		, s );
@@ -51,24 +52,28 @@ main( int argc, char *argv[] )
 	struct berval *hash = NULL;
 
 	while( (i = getopt( argc, argv,
-		"d:h:s:vu" )) != EOF )
+		"c:d:h:s:vu" )) != EOF )
 	{
 		switch (i) {
+		case 'c':	/* crypt salt format */
+			scheme = "{CRYPT}";
+			lutil_salt_format( optarg );
+			break;
+
 		case 'h':	/* scheme */
-			scheme = strdup (optarg);
+			scheme = strdup( optarg );
 			break;
 
 		case 's':	/* new password (secret) */
-			newpw = strdup (optarg);
-
 			{
 				char* p;
+				newpw = strdup( optarg );
 
 				for( p = optarg; *p != '\0'; p++ ) {
 					*p = '\0';
 				}
-			}
-			break;
+
+			} break;
 
 		case 'u':	/* RFC2307 userPassword */
 			break;