mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-12 10:54:48 +08:00
Code Issues Packages Projects Releases Wiki Activity
e240d55c07
openldap/contrib/slapd-modules/passwd/sha2
History
Howard Chu ba0863d500 ITS#5660 SHA2 password hashes
2009-01-26 04:08:34 +00:00
..
Makefile ITS#5660 SHA2 password hashes 2009-01-26 04:08:34 +00:00
README ITS#5660 SHA2 password hashes 2009-01-26 04:08:34 +00:00
sha2.c ITS#5660 SHA2 password hashes 2009-01-26 04:08:34 +00:00
sha2.h ITS#5660 SHA2 password hashes 2009-01-26 04:08:34 +00:00
slapd-sha2.c ITS#5660 SHA2 password hashes 2009-01-26 04:08:34 +00:00

README 

SHA-512 OpenLDAP support
------------------------

  Based on SHA2 implementation by Aaron D. Gifford (http://www.aarongifford.com/), also used in OpenBSD.
  Adapted for OpenLDAP use by Jeff Turner <jeff@atlassian.com>
  Distributed under open source BSD license - see code for details.


slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
OpenLDAP. For instance, one could have the LDAP attribute:

userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==

or:

userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt

or:

userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

all of which encode the password 'secret'.


Building
--------

1) Obtain the OpenLDAP source, eg. 'apt-get source slapd'.  Really we
only want the headers, but there doesn't seem to be a Debian package
with them.

2) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
source root.

For initial testing you might also want to edit CCFLAGS to define
SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
in production, as it prints passwords in cleartext).

3) Run 'make' to produce slapd-sha2.so

4) Copy slapd-sha2.so somewhere permanent.

4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:

moduleload ...path/to/slapd-sha2.so

5) Restart slapd.

The {SHA512} scheme should now be recognised.

Testing
-------

A quick way to test whether it's working is to customize the rootdn and
rootpw in slapd.conf, eg:

rootdn          "cn=admin,dc=example,dc=com"
# This encrypts the string 'secret' 

rootpw  {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

Then to test, run something like:

ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret


-- Test hashes:

Test hashes can be generated with openssl:

$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64   
vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
W192CF5bDufKRpayrW/isg==

(join those lines up to form the full hash)



Alternatively we could modify an existing user's password with
ldapmodify, and then test binding as that user:

$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
Enter LDAP Password: 
dn: uid=jturner,ou=People,dc=example,dc=com
changetype: modify 
replace: userPassword
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==

modifying entry "uid=jturner,ou=People,dc=example,dc=com"

$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret


Debugging
---------

To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
commented-out CCFLAGS in Makefile), and then run slapd from the console
to see stderr:

$ sudo /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
@(#) $OpenLDAP$
        buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
slapd starting
...
Validating password
  Password to validate: secret
  Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
  Stored password scheme: {SHA256}
  Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
  -> Passwords match
conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
conn=0 fd=12 closed (connection lost)



Origin
------

Based on code maintained at:
http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256%2C+SHA-384%2C+SHA-512)+and+atlassian-sha1+passwords