diff --git a/contrib/slapd-modules/adremap/Makefile b/contrib/slapd-modules/adremap/Makefile index e4cab3bdbe..b4c0d7b9e2 100644 --- a/contrib/slapd-modules/adremap/Makefile +++ b/contrib/slapd-modules/adremap/Makefile @@ -17,6 +17,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = -DSLAPD_OVER_ADREMAP=SLAPD_MOD_DYNAMIC @@ -24,6 +25,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = adremap.la +MANPAGES = slapo-adremap.5 LTVER = 0:0:0 prefix=/usr/local @@ -33,6 +35,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -48,9 +52,17 @@ adremap.la: adremap.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/allop/Makefile b/contrib/slapd-modules/allop/Makefile index 1af134cadf..04de358fbc 100644 --- a/contrib/slapd-modules/allop/Makefile +++ b/contrib/slapd-modules/allop/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = allop.la +MANPAGES = slapo-allop.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -38,9 +42,17 @@ allop.la: allop.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/cloak/Makefile b/contrib/slapd-modules/cloak/Makefile index 424e3b7543..d120be09ae 100644 --- a/contrib/slapd-modules/cloak/Makefile +++ b/contrib/slapd-modules/cloak/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = -DSLAPD_OVER_CLOAK=SLAPD_MOD_DYNAMIC @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = cloak.la +MANPAGES = slapo-cloak.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -38,9 +42,17 @@ cloak.la: cloak.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/lastbind/Makefile b/contrib/slapd-modules/lastbind/Makefile index 1745aa8435..bdc1b787e6 100644 --- a/contrib/slapd-modules/lastbind/Makefile +++ b/contrib/slapd-modules/lastbind/Makefile @@ -17,6 +17,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC @@ -24,6 +25,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = lastbind.la +MANPAGES = slapo-lastbind.5 LTVER = 0:0:0 prefix=/usr/local @@ -33,6 +35,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -48,9 +52,17 @@ lastbind.la: lastbind.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/lastmod/Makefile b/contrib/slapd-modules/lastmod/Makefile index 098984e805..9bda2571e0 100644 --- a/contrib/slapd-modules/lastmod/Makefile +++ b/contrib/slapd-modules/lastmod/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = -DSLAPD_OVER_LASTMOD=SLAPD_MOD_DYNAMIC @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = lastmod.la +MANPAGES = slapo-lastmod.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -38,10 +42,17 @@ lastmod.la: lastmod.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: diff --git a/contrib/slapd-modules/nops/Makefile b/contrib/slapd-modules/nops/Makefile index eda7b470f7..8cf86199ae 100644 --- a/contrib/slapd-modules/nops/Makefile +++ b/contrib/slapd-modules/nops/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = -DSLAPD_OVER_NOPS=SLAPD_MOD_DYNAMIC @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = nops.la +MANPAGES = slapo-nops.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -38,9 +42,17 @@ nops.la: nops.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/nssov/Makefile b/contrib/slapd-modules/nssov/Makefile index 47335f0442..e118835041 100644 --- a/contrib/slapd-modules/nssov/Makefile +++ b/contrib/slapd-modules/nssov/Makefile @@ -26,6 +26,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ NLDAPD_INC=-Inss-pam-ldapd LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install OPT = -g -O2 -Wall CC = gcc DEFS = @@ -41,6 +42,8 @@ libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) sysconfdir = $(prefix)/etc$(ldap_subdir) schemadir = $(sysconfdir)/schema +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 all: nssov.la @@ -49,6 +52,8 @@ XOBJS = tio.lo OBJS = alias.lo ether.lo group.lo host.lo netgroup.lo network.lo \ nssov.lo passwd.lo protocol.lo rpc.lo service.lo shadow.lo pam.lo +MANPAGES = slapo-nssov.5 + .SUFFIXES: .c .o .lo .c.lo: @@ -63,11 +68,19 @@ nssov.la: $(OBJS) $(XOBJS) $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \ -rpath $(moduledir) -module -o $@ $(OBJS) $(XOBJS) $(LIBS) -install: nssov.la +install: install-lib install-man FORCE + +install-lib: nssov.la mkdir -p $(DESTDIR)$(moduledir) $(LIBTOOL) --mode=install cp nssov.la $(DESTDIR)$(moduledir) cp ldapns.schema $(DESTDIR)$(schemadir) +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + clean: rm -f *.*o *.la .libs/* rm -rf .libs diff --git a/contrib/slapd-modules/passwd/Makefile b/contrib/slapd-modules/passwd/Makefile index b4f2b93c9b..d00b32c399 100644 --- a/contrib/slapd-modules/passwd/Makefile +++ b/contrib/slapd-modules/passwd/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la +MANPAGES = slapd-pw-radius.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -50,9 +54,17 @@ pw-apr1.la: apr1.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/passwd/pbkdf2/Makefile b/contrib/slapd-modules/passwd/pbkdf2/Makefile index 64ad97c9a5..fa98b0f0fc 100644 --- a/contrib/slapd-modules/passwd/pbkdf2/Makefile +++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall #DEFS = -DSLAPD_PBKDF2_DEBUG @@ -15,6 +16,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) -lcrypto PROGRAMS = pw-pbkdf2.la +MANPAGES = slapd-pw-pbkdf2.5 LTVER = 0:0:0 #prefix=/usr/local @@ -26,6 +28,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -41,8 +45,17 @@ pw-pbkdf2.la: pw-pbkdf2.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done + +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 new file mode 100644 index 0000000000..5c6928ca77 --- /dev/null +++ b/contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 @@ -0,0 +1,112 @@ +.TH SLAPD-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-pw-pbkdf2 \- SHA-2 password module to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +.B moduleload +.B pw-pbkdf2 +.RE +.SH DESCRIPTION +.LP +The +.B pw-pbkdf2 +module to +.BR slapd (8) +provides support for the use of the key stretching function +PBKDF2 (Password-Based Key Derivation Function 2) following RFC 2898 +in hashed passwords in OpenLDAP. +.LP +It does so by providing the following additional password schemes for use in slapd: +.RS +.TP +.B {PBKDF2} +alias to {PBKDF2-SHA1} +.TP +.B {PBKDF2-SHA1} +PBKDF2 using HMAC-SHA-1 as the underlying pseudorandom function +.TP +.B {PBKDF2-SHA256} +PBKDF2 using HMAC-SHA-256 as the underlying pseudorandom function +.TP +.B {PBKDF2-SHA512} +PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function +.RE + +.SH CONFIGURATION +The +.B pw-pbkdf2 +module does not need any configuration. +.LP +After loading the module, the password schemes +{PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, and {PBKDF2-SHA512} +will be recognised in values of the +.I userPassword +attribute. +.LP +You can then instruct OpenLDAP to use these schemes when processing +the LDAPv3 Password Modify (RFC 3062) extended operations by using the +.BR password-hash +option in +.BR slapd.conf (5). + +.SH NOTES +If you want to use the schemes described here with +.BR slappasswd (8), +don't forget to load the module using its command line options. +The relevant option/value is: +.RS +.LP +.B \-o +.BR module\-load = pw-pbkdf2 +.LP +.RE +Depending on +.BR pw-pbkdf2 's +location, you may also need: +.RS +.LP +.B \-o +.BR module\-path = \fIpathspec\fP +.RE + +.SH EXAMPLES +All of the userPassword LDAP attributes below encode the password +.RI ' secret '. +.EX +.LP +userPassword: {PBKDF2-SHA512}10000$/oQ4xZi382mk7kvCd3ZdkA$2wqjpuyV2l0U/a1QwoQPOtlQL.UcJGNACj1O24balruqQb/NgPW6OCvvrrJP8.SzA3/5iYvLnwWPzeX8IK/bEQ +.LP +userPassword: {PBKDF2-SHA256}10000$jq40ImWtmpTE.aYDYV1GfQ$mpiL4ui02ACmYOAnCjp/MI1gQk50xLbZ54RZneU0fCg +.LP +userPassword: {PBKDF2-SHA1}10000$QJTEclnXgh9Cz3ChCWpdAg$9.s98jwFJM.NXJK9ca/oJ5AyoAQ +.EE +.LP +To make {PBKDF2-SHA512} the password hash used in Password Modify extended operations, +simply set this line in slapd.conf(5): +.EX +.LP +password-hash {PBKDF2-SHA512} +.EX + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR slappasswd (8), +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall based on the +module's README file written by HAMANO Tsukasa +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/contrib/slapd-modules/passwd/sha2/Makefile b/contrib/slapd-modules/passwd/sha2/Makefile index 0abab68f71..e9fbc234ba 100644 --- a/contrib/slapd-modules/passwd/sha2/Makefile +++ b/contrib/slapd-modules/passwd/sha2/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = @@ -15,6 +16,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = pw-sha2.la +MANPAGES = slapd-pw-sha2.5 LTVER = 0:0:0 prefix=/usr/local @@ -24,6 +26,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -39,9 +43,17 @@ pw-sha2.la: slapd-sha2.lo sha2.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.5 b/contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.5 new file mode 100644 index 0000000000..5c1edd13eb --- /dev/null +++ b/contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.5 @@ -0,0 +1,118 @@ +.TH SLAPD-PW-SHA2 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-pw-sha2 \- SHA-2 password module to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +.B moduleload +.B pw-sha2 +.RE +.SH DESCRIPTION +.LP +The +.B pw-sha2 +module to +.BR slapd (8) +provides support for the use of SSHA-512, SSHA-384, SSHA-256, SHA-512, +SHA-384 and SHA-256 from the SHA-2 family (FIPS 180-2) of hash functions +in hashed passwords in OpenLDAP. +.LP +It does so by providing the following additional password schemes for use in slapd: +.RS +.TP +.B {SSHA256} +SHA-256 with salt, giving hash values of 256 bits length +.TP +.B {SHA256} +plain SHA-256 giving hash values of 256 bits length +.TP +.B {SSHA384} +SHA-384 with salt, giving hash values of 384 bits length +.TP +.B {SHA384} +plain SHA-384 giving hash values of 384 bits length +.TP +.B {SSHA512} +SHA-512 with salt, giving hash values of 512 bits length +.TP +.B {SHA512} +plain SHA-512 giving hash values of 512 bits length +.RE + +.SH CONFIGURATION +The +.B pw-sha2 +module does not need any configuration. +.LP +After loading the module, the password schemes +{SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384}, and {SHA512} +will be recognised in values of the +.I userPassword +attribute. +.LP +You can then instruct OpenLDAP to use these schemes when processing +the LDAPv3 Password Modify (RFC 3062) extended operations by using the +.BR password-hash +option in +.BR slapd.conf (5). + +.SH NOTES +If you want to use the schemes described here with +.BR slappasswd (8), +don't forget to load the module using its command line options. +The relevant option/value is: +.RS +.LP +.B \-o +.BR module\-load = pw-sha2 +.LP +.RE +Depending on +.BR pw-sha2 's +location, you may also need: +.RS +.LP +.B \-o +.BR module\-path = \fIpathspec\fP +.RE + +.SH EXAMPLES +All of the userPassword LDAP attributes below encode the password +.RI ' secret '. +.EX +.LP +userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== +.LP +userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt +.LP +userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= +.EE +.LP +To make {SSHA512} the password hash used in Password Modify extended operations, +simply set this line in slapd.conf(5): +.EX +.LP +password-hash {SSHA512} +.EX + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR slappasswd (8), +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall based on the +module's README file written by Jeff Turner. +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/contrib/slapd-modules/passwd/slapd-pw-radius.5 b/contrib/slapd-modules/passwd/slapd-pw-radius.5 new file mode 100644 index 0000000000..7b2bb98b5a --- /dev/null +++ b/contrib/slapd-modules/passwd/slapd-pw-radius.5 @@ -0,0 +1,110 @@ +.TH SLAPD-PW-RADIUS 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-pw-radius \- Radius backend password module to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +.B moduleload +.B pw-radius +.I /path/to/radius.conf +.RE +.SH DESCRIPTION +.LP +The +.B pw-radius +module to +.BR slapd (8) +provides support for using a RADIUS infrastructure as backend to +verify the password provided in Simple Bind operations to OpenLDAP. +.LP +It does so by providing an additional password scheme for use in slapd: +.RS +.TP +.B {RADIUS} +RADIUS password scheme +.RE +.LP +Unlike in other password schemes, the value following the scheme is not +a - potentially hashed - password, but the name of the corresponding +RADIUS user in the RADIUS infrastructure. +.LP +This value, together with the password used in the Simple Bind operation, +will be sent to the RADIUS server for authentication. +.LP +If the RADIUS server successfully authenticates the user, +then the password verification succeeds, resulting in the LDAP Bind +operation's success. +.LP +Conversely, failed RADIUS authentications lead to failing LDAP Binds. + +.SH CONFIGURATION +The +.B pw-radius +module needs no configuration beyond the additional +.I filename +argument to +.BR slapd.conf (5)'s +.B moduleload +directive. +This filename is expected to point to a valid +.BR radius.conf (5). +file adhering to +.BR libradius (3). +.LP +After loading the module, the password scheme +.B {RADIUS} +will be recognised in values of the +.I userPassword +attribute. + +.SH NOTES +Owing to its construction, using the +.B {RADIUS} +scheme as argument to the +.BR password-hash +option in +.BR slapd.conf (5) +does not make much sense, because of the scheme's construction. +.LP +This also applies to the ise of the +.B {RADIUS} +scheme in +.B slappasswd +or +.BR ldappasswd . + + +.SH EXAMPLES +To indicate that Simple Bind operations shall use the RADIUS user +.B johndoe +when validating passwords against the RADIUS infrastrcuture, +set a user's LDAP attribute userPassword to: +.EX +.LP +userPassword: {RADIUS}johndoe +.EE + +.SH LIMITATIONS +Due to the way the configuration is loaded (additional argument +to slapd.conf's moduleload directive), this module cannot be used +with table-driven configuration. + +.SH SEE ALSO +.BR slapd.conf (5), +.BR libradius (3) +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall. +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/contrib/slapd-modules/passwd/totp/Makefile b/contrib/slapd-modules/passwd/totp/Makefile index e25d3164ff..2318befbf5 100644 --- a/contrib/slapd-modules/passwd/totp/Makefile +++ b/contrib/slapd-modules/passwd/totp/Makefile @@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ $(LDAP_BUILD)/libraries/liblber/liblber.la LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall DEFS = @@ -14,6 +15,7 @@ INCS = $(LDAP_INC) LIBS = $(LDAP_LIB) PROGRAMS = pw-totp.la +MANPAGES = slapo-totp.5 LTVER = 0:0:0 prefix=/usr/local @@ -23,6 +25,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -38,9 +42,17 @@ pw-totp.la: slapd-totp.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/passwd/totp/slapo-totp.5 b/contrib/slapd-modules/passwd/totp/slapo-totp.5 new file mode 100644 index 0000000000..de590e6e3a --- /dev/null +++ b/contrib/slapd-modules/passwd/totp/slapo-totp.5 @@ -0,0 +1,131 @@ +.TH SLAPO-TOTP 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-totp \- TOTP password support overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +moduleload +.B lastbind +.LP +moduleload +.B totp +.LP +... +.LP +database ... +.LP +... +.LP +overlay +.B lastbind +.LP +overlay +.B totp +.RE +.SH DESCRIPTION +.LP +The +.B totp +overlay to +.BR slapd (8) +provides support for RFC 6238 TOTP Time-based One +Time Passwords in OpenLDAP using SHA-1, SHA-256, and SHA-512 hashes. +.LP +It does so by providing the following additional password schemes for use in slapd: +.RS +.TP +.B {TOTP1} +TOTP with SHA-1 as hash function. +This algorithm is compatible with Google Authenticator. +.TP +.B {TOTP256} +TOTP with SHA-256 as hash function +.TP +.B {TOTP512} +TOTP with SHA-512 as hash function +.RE + +.SH CONFIGURATION +The +.B totp +overlay does not need any configuration beyond loading the module and +defining it as an overlay where the users reside. +.LP +After that, the password schemes +{TOTP1}, {TOTP256}, and {TOTP512} +will be recognised in values of the +.I userPassword +attribute. +.LP +You can then instruct OpenLDAP to use these schemes when processing +the LDAPv3 Password Modify (RFC 3062) extended operations by using the +.BR password-hash +option in +.BR slapd.conf (5). + +.SH NOTES +When using the +.B lastbind +overlay together with the +.B totp +overlay, the former one needs to be loaded first. +.LP +If you want to use the schemes described here with +.BR slappasswd (8), +don't forget to load the module using its command line options. +The relevant option/value is: +.RS +.LP +.B \-o +.BR module\-load = totp +.LP +.RE +Depending on +.BR totp 's +location, you may also need: +.RS +.LP +.B \-o +.BR module\-path = \fIpathspec\fP +.RE + + +.SH EXAMPLES +For instance, one could have the LDAP attribute: +.LP +.EX +userPassword: {TOTP1}GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ +.EE +.LP +which encodes the key +.RB ' 12345678901234567890 '. +.LP +To make {TOTP1} the password algorithm used in Password Modify extended operations, +simply set this line in slapd.conf(5): +.LP +.EX +password-hash {TOTP1} +.EX + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR slappasswd (8), +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall based on the +module's README file written by Howard Chu. +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. + diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile index a9d50450d7..2cda28eff6 100644 --- a/contrib/slapd-modules/smbk5pwd/Makefile +++ b/contrib/slapd-modules/smbk5pwd/Makefile @@ -25,6 +25,7 @@ HEIMDAL_INC = -I/usr/heimdal/include HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install CC = gcc OPT = -g -O2 -Wall # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. @@ -33,6 +34,7 @@ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) PROGRAMS = smbk5pwd.la +MANPAGES = slapo-smbk5pwd.5 LTVER = 0:0:0 prefix=/usr/local @@ -42,6 +44,8 @@ ldap_subdir=/openldap libdir=$(exec_prefix)/lib libexecdir=$(exec_prefix)/libexec moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 .SUFFIXES: .c .o .lo @@ -57,9 +61,17 @@ smbk5pwd.la: smbk5pwd.lo clean: rm -rf *.o *.lo *.la .libs -install: $(PROGRAMS) +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) mkdir -p $(DESTDIR)$(moduledir) for p in $(PROGRAMS) ; do \ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ done +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: + diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 new file mode 100644 index 0000000000..044694b959 --- /dev/null +++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 @@ -0,0 +1,179 @@ +.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +include +.B "/krb5-kdc.schema" +.LP +include +.B "/samba.schema" +.LP +moduleload +.B smbk5pwd.so +.LP + ... +.LP +database mdb +.LP + ... +.LP +overlay +.B smbk5pwd +.RE + +.SH DESCRIPTION +.LP +The +.B smbk5pwd +overlay to +.BR slapd (8) +overloads the Password Modify Extended Operation (RFC 3062) to update +Kerberos keys and Samba password hashes for an LDAP user, as well as +updating password change related attributes for Kerberos, Samba and/or +UNIX user accounts. +.LP +The Samba support is written using the Samba 3.0 LDAP schema; +Kerberos support is written for Heimdal using its hdb-ldap backend. +.LP +Additionally, a new +.B {K5KEY} +password hash mechanism is provided. +For +.B krb5KDCEntry +objects that have this scheme specifier in their +.I userPassword +attribute, Simple Binds will be checked against the Kerberos keys of the entry. +No data is needed after the +.B {K5KEY} +scheme specifier in the +.IR userPassword , +it is looked up from the entry directly. + +.SH CONFIGURATION +The +.B smbk5pwd +overlay supports the following +.B slapd.conf +configuration options, which should appear after the +.B overlay +directive: +.TP +.BI smbk5pwd-enable " " +can be used to enable only the desired modules. +Legal values for +.I +are +.LP +.RS +.TP +.B krb5 +If the user has the +.B krb5KDCEntry +objectclass, update the +.B krb5Key +and +.B krb5KeyVersionNumber +attributes using the new password in the Password Modify operation, +provided the Kerberos account is not expired. +Exiration is determined by evaluating the +.B krb5ValidEnd +attribute. +.TP +.B samba +If the user is a +.B sambaSamAccount +object, synchronize the +.B sambaLMPassword +and +.B sambaNTPassword +to the password entered in the Password Modify operation, and update +.B sambaPwdLastSet +accordingly. +.TP +.B shadow +Update the attribute +.BR shadowLastChange , +if the entry has the objectclass +.BR shadowAccount . +.LP +By default all modules compiled in are enabled. +Setting the config statement restricts the enabled modules to the ones +explicitly mentioned. +.RE +.TP +.BI smbk5pwd-can-change " " +If the +.B samba +module is enabled and the user is a +.BR sambaSamAccount , +update the attribute +.B sambaPwdCanChange +to point +.I +into the future, essentially denying any Samba password change until then. +A value of +.B 0 +disables this feature. +.TP +.BI smbk5pwd-must-change " " +If the +.B samba +module is enabled and the user is a +.BR sambaSamAccount , +update the attribute +.B sambaPwdMustChange +to point +.I +into the future, essentially setting the Samba password expiration time. +A value of +.B 0 +disables this feature. +.LP +Alternatively, the overlay supports table-driven configuration, +and thus can be run-time loaded and configured via back-config. + +.SH EXAMPLE +The layout of a slapd.d based, table-driven configuration entry looks like: +.LP +.EX + # {0}smbk5pwd, {1}bdb, config + dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcSmbK5PwdConfig + olcOverlay: {0}smbk5pwd + olcSmbK5PwdEnable: krb5 + olcSmbK5PwdEnable: samba + olcSmbK5PwdMustChange: 2592000 +.EE +.LP +which enables both +.B krb5 +and +.B samba +modules with a Samba password expiration time of 30 days (= +.B 2592000 +seconds). + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR ldap (3), +.LP +"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been writen by Peter Marschall based on the +module's README file written by Howard Chu. +.LP +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. +