1SHA-2 OpenLDAP support 2---------------------- 3 4slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256, 5SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For 6instance, one could have the LDAP attribute: 7 8userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== 9 10or: 11 12userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt 13 14or: 15 16userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= 17 18all of which encode the password 'secret'. 19 20 21Building 22-------- 23 241) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP 25source root. 26 27For initial testing you might also want to edit DEFS to define 28SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on 29in production, as it prints passwords in cleartext). 30 312) Run 'make' to produce slapd-sha2.so 32 333) Copy slapd-sha2.so somewhere permanent. 34 354) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: 36 37moduleload ...path/to/slapd-sha2.so 38 395) Restart slapd. 40 41 42Configuring 43----------- 44 45The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512} 46password schemes should now be recognised. 47 48You can also tell OpenLDAP to use one of these new schemes when processing LDAP 49Password Modify Extended Operations, thanks to the password-hash option in 50slapd.conf. For example: 51 52password-hash {SSHA512} 53 54 55Testing 56------- 57 58A quick way to test whether it's working is to customize the rootdn and 59rootpw in slapd.conf, eg: 60 61rootdn "cn=admin,dc=example,dc=com" 62# This encrypts the string 'secret' 63 64rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= 65 66Then to test, run something like: 67 68ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret 69 70 71-- Test hashes: 72 73Test hashes can be generated with openssl: 74 75$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 76K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= 77$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64 78WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt 79$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 80vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm 81W192CF5bDufKRpayrW/isg== 82 83(join those lines up to form the full hash) 84 85 86 87Alternatively we could modify an existing user's password with 88ldappasswd, and then test binding as that user: 89 90$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com 91New password: secret 92Re-enter new password: secret 93Enter LDAP Password: <cn=admin's password> 94 95$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret 96 97 98Debugging (SHA-512, SHA-384 and SHA-256 only) 99--------------------------------------------- 100 101To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the 102commented-out DEFS in Makefile), and then run slapd from the console 103to see stderr: 104 105$ sudo /etc/init.d/slapd stop 106Stopping OpenLDAP: slapd. 107$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats 108@(#) $OpenLDAP$ 109 buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd 110slapd starting 111... 112Validating password 113 Hash scheme: {SHA256} 114 Password to validate: secret 115 Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= 116 Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= 117 Result: match 118conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 119conn=0 op=0 RESULT tag=97 err=0 text= 120conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" 121conn=0 fd=12 closed (connection lost) 122 123--- 124 125This work is part of OpenLDAP Software <http://www.openldap.org/>. 126 127Copyright 2009-2014 The OpenLDAP Foundation. 128All rights reserved. 129 130Redistribution and use in source and binary forms, with or without 131modification, are permitted only as authorized by the OpenLDAP 132Public License. 133 134A copy of this license is available in the file LICENSE in the 135top-level directory of the distribution or, alternatively, at 136<http://www.OpenLDAP.org/license.html>. 137 138--- 139 140ACKNOWLEDGEMENT: 141This work was initially developed by Jeff Turner for inclusion in 142OpenLDAP Software, based upon the SHA-2 implementation independently 143developed by Aaron Gifford. 144 145