1 SHA-512 OpenLDAP support
2 ------------------------
4 slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
5 OpenLDAP. For instance, one could have the LDAP attribute:
7 userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
11 userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
15 userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
17 all of which encode the password 'secret'.
23 1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
26 For initial testing you might also want to edit CCFLAGS to define
27 SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
28 in production, as it prints passwords in cleartext).
30 2) Run 'make' to produce slapd-sha2.so
32 3) Copy slapd-sha2.so somewhere permanent.
34 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
36 moduleload ...path/to/slapd-sha2.so
40 The {SHA512} scheme should now be recognised.
45 A quick way to test whether it's working is to customize the rootdn and
46 rootpw in slapd.conf, eg:
48 rootdn "cn=admin,dc=example,dc=com"
49 # This encrypts the string 'secret'
51 rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
53 Then to test, run something like:
55 ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
60 Test hashes can be generated with openssl:
62 $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
63 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
64 $ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
65 WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
66 $ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
67 vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
68 W192CF5bDufKRpayrW/isg==
70 (join those lines up to form the full hash)
74 Alternatively we could modify an existing user's password with
75 ldapmodify, and then test binding as that user:
77 $ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
79 dn: uid=jturner,ou=People,dc=example,dc=com
82 userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
84 modifying entry "uid=jturner,ou=People,dc=example,dc=com"
86 $ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
92 To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
93 commented-out CCFLAGS in Makefile), and then run slapd from the console
96 $ sudo /etc/init.d/slapd stop
97 Stopping OpenLDAP: slapd.
98 $ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
100 buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
101 /etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
102 /etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
106 Password to validate: secret
107 Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
108 Stored password scheme: {SHA256}
109 Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
111 conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
112 conn=0 op=0 RESULT tag=97 err=0 text=
113 conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
114 conn=0 fd=12 closed (connection lost)
118 This work is part of OpenLDAP Software <http://www.openldap.org/>.
120 Copyright 2009-2010 The OpenLDAP Foundation.
123 Redistribution and use in source and binary forms, with or without
124 modification, are permitted only as authorized by the OpenLDAP
127 A copy of this license is available in the file LICENSE in the
128 top-level directory of the distribution or, alternatively, at
129 <http://www.OpenLDAP.org/license.html>.
134 This work was initially developed by Jeff Turner for inclusion in
135 OpenLDAP Software, based upon the SHA2 implementation independently
136 developed by Aaron Gifford.