xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/passwd/pbkdf2/README (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1PBKDF2 for OpenLDAP
2=======================
3
4pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
5
6Schemes:
7
8 * {PBKDF2} -  alias to {PBKDF2-SHA1}
9 * {PBKDF2-SHA1}
10 * {PBKDF2-SHA256}
11 * {PBKDF2-SHA512}
12
13# Requirements
14
15  * OpenSSL 1.0.0 or later
16
17# Installations
18
19First, You need to configure and build OpenLDAP.
20
21    $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
22    $ git clone https://github.com/hamano/openldap-pbkdf2.git
23    $ cd openldap-pbkdf2/
24    $ make
25    # make install
26
27# Configuration
28
29In slapd.conf:
30
31    moduleload pw-pbkdf2.so
32
33You can also tell OpenLDAP to use the schemes when processing LDAP
34Password Modify Extended Operations, thanks to the password-hash
35option in slapd.conf. For example:
36
37    password-hash {PBKDF2}
38or
39    password-hash {PBKDF2-SHA256}
40or
41    password-hash {PBKDF2-SHA512}
42
43# Testing
44
45You can get hash to use slappasswd.
46
47    $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
48    {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
49
50A quick way to test whether it's working is to customize the rootdn and
51rootpw in slapd.conf, eg:
52
53    rootdn "cn=Manager,dc=example,dc=com"
54    rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
55
56Then to test, run something like:
57
58    $ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
59
60# Debugging
61You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
62
63# Message Format
64
65    {PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
66
67# References
68
69* [RFC 2898 Password-Based Cryptography][^1]
70[^1]: http://tools.ietf.org/html/rfc2898
71
72* [PKCS #5 PBKDF2 Test Vectors][^2]
73[^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06
74
75* [RFC 2307 Using LDAP as a Network Information Service][^3]
76[^3]: http://tools.ietf.org/html/rfc2307
77
78* [Python Passlib][^4]
79[^4]: http://pythonhosted.org/passlib/
80
81* [Adapted Base64 Encoding][^5]
82[^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode
83
84# License
85This work is part of OpenLDAP Software <http://www.openldap.org/>.
86
87Copyright 2009-2021 The OpenLDAP Foundation.
88All rights reserved.
89
90Redistribution and use in source and binary forms, with or without
91modification, are permitted only as authorized by the OpenLDAP
92Public License.
93
94A copy of this license is available in the file LICENSE in the
95top-level directory of the distribution or, alternatively, at
96<http://www.OpenLDAP.org/license.html>.
97
98# ACKNOWLEDGEMENT
99This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp>
100