• Home
  • History
  • Annotate
  • only in this directory
NameDateSize

..25-Aug-20149

MakefileH A D07-Feb-2012278

READMEH A D07-Feb-20124.3 KiB

sha2.cH A D07-Feb-201231.3 KiB

sha2.hH A D07-Feb-20126.3 KiB

slapd-sha2.cH A D07-Feb-20126.6 KiB

README

1SHA-512 OpenLDAP support
2------------------------
3
4slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
5OpenLDAP. For instance, one could have the LDAP attribute:
6
7userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
8
9or:
10
11userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
12
13or:
14
15userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
16
17all of which encode the password 'secret'.
18
19
20Building
21--------
22
231) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
24source root.
25
26For initial testing you might also want to edit CCFLAGS to define
27SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
28in production, as it prints passwords in cleartext).
29
302) Run 'make' to produce slapd-sha2.so
31
323) Copy slapd-sha2.so somewhere permanent.
33
344) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
35
36moduleload ...path/to/slapd-sha2.so
37
385) Restart slapd.
39
40
41Configuring
42-----------
43
44The {SHA256}, {SHA384} and {SHA512} password schemes should now be recognised.
45
46You can also tell OpenLDAP to use one of these new schemes when processing LDAP
47Password Modify Extended Operations, thanks to the password-hash option in
48slapd.conf. For example:
49
50password-hash	{SHA256}
51
52
53Testing
54-------
55
56A quick way to test whether it's working is to customize the rootdn and
57rootpw in slapd.conf, eg:
58
59rootdn          "cn=admin,dc=example,dc=com"
60# This encrypts the string 'secret' 
61
62rootpw  {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
63
64Then to test, run something like:
65
66ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
67
68
69-- Test hashes:
70
71Test hashes can be generated with openssl:
72
73$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
74K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
75$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
76WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
77$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64   
78vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
79W192CF5bDufKRpayrW/isg==
80
81(join those lines up to form the full hash)
82
83
84
85Alternatively we could modify an existing user's password with
86ldapmodify, and then test binding as that user:
87
88$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
89Enter LDAP Password: 
90dn: uid=jturner,ou=People,dc=example,dc=com
91changetype: modify 
92replace: userPassword
93userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
94
95modifying entry "uid=jturner,ou=People,dc=example,dc=com"
96
97$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
98
99
100Debugging
101---------
102
103To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
104commented-out CCFLAGS in Makefile), and then run slapd from the console
105to see stderr:
106
107$ sudo /etc/init.d/slapd stop
108Stopping OpenLDAP: slapd.
109$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
110@(#) $OpenLDAP$
111        buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
112/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
113/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
114slapd starting
115...
116Validating password
117  Password to validate: secret
118  Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
119  Stored password scheme: {SHA256}
120  Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
121  -> Passwords match
122conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
123conn=0 op=0 RESULT tag=97 err=0 text=
124conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
125conn=0 fd=12 closed (connection lost)
126
127---
128
129This work is part of OpenLDAP Software <http://www.openldap.org/>.
130
131Copyright 2009-2011 The OpenLDAP Foundation.
132All rights reserved.
133
134Redistribution and use in source and binary forms, with or without
135modification, are permitted only as authorized by the OpenLDAP
136Public License.
137
138A copy of this license is available in the file LICENSE in the
139top-level directory of the distribution or, alternatively, at
140<http://www.OpenLDAP.org/license.html>.
141
142---
143
144ACKNOWLEDGEMENT:
145This work was initially developed by Jeff Turner for inclusion in
146OpenLDAP Software, based upon the SHA2 implementation independently
147developed by Aaron Gifford.
148
149