README
1SHA-2 OpenLDAP support
2----------------------
3
4slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
5SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
6instance, one could have the LDAP attribute:
7
8userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
9
10or:
11
12userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
13
14or:
15
16userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
17
18all of which encode the password 'secret'.
19
20
21Building
22--------
23
241) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
25source root.
26
27For initial testing you might also want to edit DEFS to define
28SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
29in production, as it prints passwords in cleartext).
30
312) Run 'make' to produce slapd-sha2.so
32
333) Copy slapd-sha2.so somewhere permanent.
34
354) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
36
37moduleload ...path/to/slapd-sha2.so
38
395) Restart slapd.
40
41
42Configuring
43-----------
44
45The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512}
46password schemes should now be recognised.
47
48You can also tell OpenLDAP to use one of these new schemes when processing LDAP
49Password Modify Extended Operations, thanks to the password-hash option in
50slapd.conf. For example:
51
52password-hash {SSHA512}
53
54
55Testing
56-------
57
58A quick way to test whether it's working is to customize the rootdn and
59rootpw in slapd.conf, eg:
60
61rootdn "cn=admin,dc=example,dc=com"
62# This encrypts the string 'secret'
63
64rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
65
66Then to test, run something like:
67
68ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
69
70
71-- Test hashes:
72
73Test hashes can be generated with openssl:
74
75$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
76K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
77$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
78WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
79$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
80vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
81W192CF5bDufKRpayrW/isg==
82
83(join those lines up to form the full hash)
84
85
86
87Alternatively we could modify an existing user's password with
88ldappasswd, and then test binding as that user:
89
90$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com
91New password: secret
92Re-enter new password: secret
93Enter LDAP Password: <cn=admin's password>
94
95$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
96
97
98Debugging (SHA-512, SHA-384 and SHA-256 only)
99---------------------------------------------
100
101To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
102commented-out DEFS in Makefile), and then run slapd from the console
103to see stderr:
104
105$ sudo /etc/init.d/slapd stop
106Stopping OpenLDAP: slapd.
107$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats
108@(#) $OpenLDAP$
109 buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
110slapd starting
111...
112Validating password
113 Hash scheme: {SHA256}
114 Password to validate: secret
115 Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
116 Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
117 Result: match
118conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
119conn=0 op=0 RESULT tag=97 err=0 text=
120conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
121conn=0 fd=12 closed (connection lost)
122
123---
124
125This work is part of OpenLDAP Software <http://www.openldap.org/>.
126
127Copyright 2009-2021 The OpenLDAP Foundation.
128All rights reserved.
129
130Redistribution and use in source and binary forms, with or without
131modification, are permitted only as authorized by the OpenLDAP
132Public License.
133
134A copy of this license is available in the file LICENSE in the
135top-level directory of the distribution or, alternatively, at
136<http://www.OpenLDAP.org/license.html>.
137
138---
139
140ACKNOWLEDGEMENT:
141This work was initially developed by Jeff Turner for inclusion in
142OpenLDAP Software, based upon the SHA-2 implementation independently
143developed by Aaron Gifford.
144
145