1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
PBKDF2 for OpenLDAP
=======================
pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
Schemes:
* {PBKDF2} - alias to {PBKDF2-SHA1}
* {PBKDF2-SHA1}
* {PBKDF2-SHA256}
* {PBKDF2-SHA512}
# Requirements
* OpenSSL 1.0.0 or later
# Installations
First, You need to configure and build OpenLDAP.
$ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
$ git clone https://github.com/hamano/openldap-pbkdf2.git
$ cd openldap-pbkdf2/
$ make
# make install
# Configration
In slapd.conf:
moduleload pw-pbkdf2.so
You can also tell OpenLDAP to use the schemes when processing LDAP
Password Modify Extended Operations, thanks to the password-hash
option in slapd.conf. For example:
password-hash {PBKDF2}
or
password-hash {PBKDF2-SHA256}
or
password-hash {PBKDF2-SHA512}
# Testing
You can get hash to use slappasswd.
$ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
A quick way to test whether it's working is to customize the rootdn and
rootpw in slapd.conf, eg:
rootdn "cn=Manager,dc=example,dc=com"
rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
Then to test, run something like:
$ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
# Debugging
You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
# Message Format
{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
# References
* [RFC 2898 Password-Based Cryptography][^1]
[^1]: http://tools.ietf.org/html/rfc2898
* [PKCS #5 PBKDF2 Test Vectors][^2]
[^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06
* [RFC 2307 Using LDAP as a Network Information Service][^3]
[^3]: http://tools.ietf.org/html/rfc2307
* [Python Passlib][^4]
[^4]: http://pythonhosted.org/passlib/
* [Adapted Base64 Encoding][^5]
[^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode
# License
This work is part of OpenLDAP Software <http://www.openldap.org/>.
Copyright 2009-2021 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.
A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.
# ACKNOWLEDGEMENT
This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp>
|