mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
100 lines
2.5 KiB
Plaintext
100 lines
2.5 KiB
Plaintext
PBKDF2 for OpenLDAP
|
|
=======================
|
|
|
|
pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
|
|
|
|
Schemes:
|
|
|
|
* {PBKDF2} - alias to {PBKDF2-SHA1}
|
|
* {PBKDF2-SHA1}
|
|
* {PBKDF2-SHA256}
|
|
* {PBKDF2-SHA512}
|
|
|
|
# Requirements
|
|
|
|
* OpenSSL 1.0.0 or later
|
|
|
|
# Installations
|
|
|
|
First, You need to configure and build OpenLDAP.
|
|
|
|
$ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
|
|
$ git clone https://github.com/hamano/openldap-pbkdf2.git
|
|
$ cd openldap-pbkdf2/
|
|
$ make
|
|
# make install
|
|
|
|
# Configration
|
|
|
|
In slapd.conf:
|
|
|
|
moduleload pw-pbkdf2.so
|
|
|
|
You can also tell OpenLDAP to use the schemes when processing LDAP
|
|
Password Modify Extended Operations, thanks to the password-hash
|
|
option in slapd.conf. For example:
|
|
|
|
password-hash {PBKDF2}
|
|
or
|
|
password-hash {PBKDF2-SHA256}
|
|
or
|
|
password-hash {PBKDF2-SHA512}
|
|
|
|
# Testing
|
|
|
|
You can get hash to use slappasswd.
|
|
|
|
$ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
|
|
{PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
|
|
|
|
A quick way to test whether it's working is to customize the rootdn and
|
|
rootpw in slapd.conf, eg:
|
|
|
|
rootdn "cn=Manager,dc=example,dc=com"
|
|
rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
|
|
|
|
Then to test, run something like:
|
|
|
|
$ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
|
|
|
|
# Debugging
|
|
You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
|
|
|
|
# Message Format
|
|
|
|
{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
|
|
|
|
# References
|
|
|
|
* [RFC 2898 Password-Based Cryptography][^1]
|
|
[^1]: http://tools.ietf.org/html/rfc2898
|
|
|
|
* [PKCS #5 PBKDF2 Test Vectors][^2]
|
|
[^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06
|
|
|
|
* [RFC 2307 Using LDAP as a Network Information Service][^3]
|
|
[^3]: http://tools.ietf.org/html/rfc2307
|
|
|
|
* [Python Passlib][^4]
|
|
[^4]: http://pythonhosted.org/passlib/
|
|
|
|
* [Adapted Base64 Encoding][^5]
|
|
[^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode
|
|
|
|
# License
|
|
This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
|
Copyright 2009-2016 The OpenLDAP Foundation.
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted only as authorized by the OpenLDAP
|
|
Public License.
|
|
|
|
A copy of this license is available in the file LICENSE in the
|
|
top-level directory of the distribution or, alternatively, at
|
|
<http://www.OpenLDAP.org/license.html>.
|
|
|
|
# ACKNOWLEDGEMENT
|
|
This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp>
|