• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

MakefileH A D03-May-20221.6 KiB7151

READMEH A D03-Jun-20213.1 KiB11064

pw-argon2.cH A D03-Jun-20215.3 KiB221150

slapd-pw-argon2.5H A D03-Jun-20212.6 KiB123114

README

1Argon2 OpenLDAP support
2----------------------
3
4pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
5instance, one could have the LDAP attribute:
6
7userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
8
9or:
10
11userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
12
13Both hash the password "secret", the first using the salt "saltsalt", the second using the salt "saltsaltsalt"
14
15Building
16--------
17
181) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
19source root.
20
21For initial testing you might also want to edit DEFS to define
22SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on
23in production, as it prints passwords in cleartext).
24
252) Run 'make' to produce pw-argon2.so
26
273) Copy pw-argon2.so somewhere permanent.
28
294) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
30
31moduleload ...path/to/pw-argon2.so
32
335) Restart slapd.
34
35
36Configuring
37-----------
38
39The {ARGON2} password scheme should now be recognised.
40
41You can also tell OpenLDAP to use one of this scheme when processing LDAP
42Password Modify Extended Operations, thanks to the password-hash option in
43slapd.conf:
44
45password-hash	{ARGON2}
46
47
48Testing
49-------
50
51A quick way to test whether it's working is to customize the rootdn and
52rootpw in slapd.conf, eg:
53
54rootdn          "cn=admin,dc=example,dc=com"
55
56# This hashes the string 'secret', with a random salt
57rootpw          {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc
58
59
60Then to test, run something like:
61
62ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
63
64
65-- Test hashes:
66
67Test hashes can be generated with argon2:
68$ echo -n "secret" | argon2 "saltsalt" -e
69$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
70
71$ echo -n "secret" | argon2 "saltsaltsalt" -e
72$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
73
74$ echo -n "secretsecret" | argon2 "saltsalt" -e
75$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$U0Pd/wEsssZ9bHezDA8oxHnWe01xftykEy+7ehM2vic
76
77$ echo -n "secretsecret" | argon2 "saltsaltsalt" -e
78$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$fkvoOwKgVtlX9ZDqcHFyyArBvqnAM0Igca8SScB4Jsc
79
80
81
82Alternatively we could modify an existing user's password with
83ldappasswd, and then test binding as that user:
84
85$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com
86New password: secret
87Re-enter new password: secret
88Enter LDAP Password: <cn=admin's password>
89
90$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
91
92
93
94---
95
96This work is part of OpenLDAP Software <http://www.openldap.org/>.
97
98Copyright 2017-2021 The OpenLDAP Foundation.
99All rights reserved.
100
101Redistribution and use in source and binary forms, with or without
102modification, are permitted only as authorized by the OpenLDAP
103Public License.
104
105A copy of this license is available in the file LICENSE in the
106top-level directory of the distribution or, alternatively, at
107<http://www.OpenLDAP.org/license.html>.
108
109---
110