2 =======================
4 pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
8 * {PBKDF2} - alias to {PBKDF2-SHA1}
15 * OpenSSL 1.0.0 or later
19 First, You need to configure and build OpenLDAP.
21 $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
22 $ git clone https://github.com/hamano/openldap-pbkdf2.git
31 moduleload pw-pbkdf2.so
33 You can also tell OpenLDAP to use the schemes when processing LDAP
34 Password Modify Extended Operations, thanks to the password-hash
35 option in slapd.conf. For example:
37 password-hash {PBKDF2}
39 password-hash {PBKDF2-SHA256}
41 password-hash {PBKDF2-SHA512}
45 You can get hash to use slappasswd.
47 $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
48 {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
50 A quick way to test whether it's working is to customize the rootdn and
51 rootpw in slapd.conf, eg:
53 rootdn "cn=Manager,dc=example,dc=com"
54 rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
56 Then to test, run something like:
58 $ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
61 You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
65 {PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
69 * [RFC 2898 Password-Based Cryptography][^1]
70 [^1]: http://tools.ietf.org/html/rfc2898
72 * [PKCS #5 PBKDF2 Test Vectors][^2]
73 [^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06
75 * [RFC 2307 Using LDAP as a Network Information Service][^3]
76 [^3]: http://tools.ietf.org/html/rfc2307
78 * [Python Passlib][^4]
79 [^4]: http://pythonhosted.org/passlib/
81 * [Adapted Base64 Encoding][^5]
82 [^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode
85 This work is part of OpenLDAP Software <http://www.openldap.org/>.
87 Copyright 2009-2013 The OpenLDAP Foundation.
90 Redistribution and use in source and binary forms, with or without
91 modification, are permitted only as authorized by the OpenLDAP
94 A copy of this license is available in the file LICENSE in the
95 top-level directory of the distribution or, alternatively, at
96 <http://www.OpenLDAP.org/license.html>.
99 This work was initially developed by HAMANO Tsukasa <hamano@osstech.co.jp>