1Argon2 OpenLDAP support 2---------------------- 3 4argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For 5instance, one could have the LDAP attribute: 6 7userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng 8 9or: 10 11userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw 12 13Both hash the password "secret", the first using the salt "saltsalt", the second using the salt "saltsaltsalt" 14 15Building 16-------- 17 181) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP 19source root. 20 21For initial testing you might also want to edit DEFS to define 22SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on 23in production, as it prints passwords in cleartext). 24 252) Run 'make' to produce argon2.so 26 273) Copy argon2.so somewhere permanent. 28 294) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: 30 31moduleload ...path/to/argon2.so 32 335) Restart slapd. 34 35 36Configuring 37----------- 38 39The {ARGON2} password scheme should now be recognised. 40 41You can also tell OpenLDAP to use one of this scheme when processing LDAP 42Password Modify Extended Operations, thanks to the password-hash option in 43slapd.conf: 44 45password-hash {ARGON2} 46 47 48Testing 49------- 50 51A quick way to test whether it's working is to customize the rootdn and 52rootpw in slapd.conf, eg: 53 54rootdn "cn=admin,dc=example,dc=com" 55 56# This hashes the string 'secret', with a random salt 57rootpw {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc 58 59 60Then to test, run something like: 61 62ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret 63 64 65-- Test hashes: 66 67Test hashes can be generated with argon2: 68$ echo -n "secret" | argon2 "saltsalt" -e 69$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng 70 71$ echo -n "secret" | argon2 "saltsaltsalt" -e 72$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw 73 74$ echo -n "secretsecret" | argon2 "saltsalt" -e 75$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$U0Pd/wEsssZ9bHezDA8oxHnWe01xftykEy+7ehM2vic 76 77$ echo -n "secretsecret" | argon2 "saltsaltsalt" -e 78$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$fkvoOwKgVtlX9ZDqcHFyyArBvqnAM0Igca8SScB4Jsc 79 80 81 82Alternatively we could modify an existing user's password with 83ldappasswd, and then test binding as that user: 84 85$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com 86New password: secret 87Re-enter new password: secret 88Enter LDAP Password: <cn=admin's password> 89 90$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret 91 92 93 94--- 95 96This work is part of OpenLDAP Software <http://www.openldap.org/>. 97 98Copyright 2017-2021 The OpenLDAP Foundation. 99All rights reserved. 100 101Redistribution and use in source and binary forms, with or without 102modification, are permitted only as authorized by the OpenLDAP 103Public License. 104 105A copy of this license is available in the file LICENSE in the 106top-level directory of the distribution or, alternatively, at 107<http://www.OpenLDAP.org/license.html>. 108 109--- 110