summaryrefslogtreecommitdiffstats
path: root/contrib/slapd-modules/passwd/pbkdf2/README
blob: 2f9a6350c975006c19cf227a5d4700188d2b3508 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
PBKDF2 for OpenLDAP
=======================

pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.

Schemes:

 * {PBKDF2} -  alias to {PBKDF2-SHA1}
 * {PBKDF2-SHA1}
 * {PBKDF2-SHA256}
 * {PBKDF2-SHA512}

# Requirements

  * OpenSSL 1.0.0 or later

# Installations

First, You need to configure and build OpenLDAP.

    $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
    $ git clone https://github.com/hamano/openldap-pbkdf2.git
    $ cd openldap-pbkdf2/
    $ make
    # make install

# Configration

In slapd.conf:

    moduleload pw-pbkdf2.so

You can also tell OpenLDAP to use the schemes when processing LDAP
Password Modify Extended Operations, thanks to the password-hash
option in slapd.conf. For example:

    password-hash {PBKDF2}
or
    password-hash {PBKDF2-SHA256}
or
    password-hash {PBKDF2-SHA512}

# Testing

You can get hash to use slappasswd.

    $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
    {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw

A quick way to test whether it's working is to customize the rootdn and
rootpw in slapd.conf, eg:

    rootdn "cn=Manager,dc=example,dc=com"
    rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw

Then to test, run something like:

    $ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret

# Debugging
You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.

# Message Format

    {PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>

# References

* [RFC 2898 Password-Based Cryptography][^1]
[^1]: http://tools.ietf.org/html/rfc2898

* [PKCS #5 PBKDF2 Test Vectors][^2]
[^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06

* [RFC 2307 Using LDAP as a Network Information Service][^3]
[^3]: http://tools.ietf.org/html/rfc2307

* [Python Passlib][^4]
[^4]: http://pythonhosted.org/passlib/

* [Adapted Base64 Encoding][^5]
[^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode

# License
This work is part of OpenLDAP Software <http://www.openldap.org/>.

Copyright 2009-2021 The OpenLDAP Foundation.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.

A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.

# ACKNOWLEDGEMENT
This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp>