Skip to content

Latest commit

 

History

History
138 lines (95 loc) · 2.99 KB

README.md

File metadata and controls

138 lines (95 loc) · 2.99 KB

PBKDF2 for OpenLDAP

NOTE: This module has already been merged into official repository. see contrib/slapd-modules/passwd/pbkdf2/ However module of official release does not support GNUTLS yet. Please use the repository for building with GNUTLS

pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.

Schemes:

  • {PBKDF2} - alias to {PBKDF2-SHA1}
  • {PBKDF2-SHA1}
  • {PBKDF2-SHA256}
  • {PBKDF2-SHA512}

Requirements

  • OpenSSL 1.0.0 or later or
  • Nettle 2.7.1 or later

Installations

First, You need to configure and build OpenLDAP with --enable-modules option.

$ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
$ git clone https://github.com/hamano/openldap-pbkdf2.git
$ cd openldap-pbkdf2/
$ make
# make install

Configration

In slapd.conf:

moduleload pw-pbkdf2.so

You can also tell OpenLDAP to use the schemes when processing LDAP Password Modify Extended Operations, thanks to the password-hash option in slapd.conf. For example:

password-hash {PBKDF2}

or

password-hash {PBKDF2-SHA256}

or

password-hash {PBKDF2-SHA512}

Testing

You can get hash to use slappasswd.

$ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$8muAzQL.wFBo0phhjcMveQ$ac91mnXD6sxQQWub2qwonD5Q.QE

A quick way to test whether it's working is to customize the rootdn and rootpw in slapd.conf, eg:

rootdn "cn=Manager,dc=example,dc=com"
rootpw {PBKDF2}10000$8muAzQL.wFBo0phhjcMveQ$ac91mnXD6sxQQWub2qwonD5Q.QE

Then to test, run something like:

$ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret

Debugging

You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.

Message Format

{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>

Sample code for Python Passlib

#!/usr/bin/env python

from passlib.hash import ldap_pbkdf2_sha1
print(ldap_pbkdf2_sha1.encrypt("secret", rounds=10000))

References

  • [RFC 2898 Password-Based Cryptography]1
  • [PKCS #5 PBKDF2 Test Vectors]2
  • [RFC 2307 Using LDAP as a Network Information Service]3
  • [Python Passlib]4
  • [Adapted Base64 Encoding]5

License

This work is part of OpenLDAP Software http://www.openldap.org/.

Copyright 2009-2013 The OpenLDAP Foundation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.

A copy of this license is available in the file LICENSE in the top-level directory of the distribution or, alternatively, at http://www.OpenLDAP.org/license.html.

ACKNOWLEDGEMENT

This work was initially developed by HAMANO Tsukasa hamano@osstech.co.jp

Contributor:

  • Luca Bruno(lucab)

Footnotes

  1. http://tools.ietf.org/html/rfc2898

  2. http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06

  3. http://tools.ietf.org/html/rfc2307

  4. http://pythonhosted.org/passlib/

  5. http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode