X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=contrib%2Fslapd-modules%2Fpasswd%2Fsha2%2FREADME;h=11bbe1e38e9ee0a6256f39ccab43fb14b4716a33;hb=98cd6e28571a2a0351d1b5f707514c5832e503c0;hp=68cc62f2be4bf4614e31f8310418c5bd4df0c449;hpb=7f41bdf6885214362af15da504981f1ea85cf81f;p=openldap diff --git a/contrib/slapd-modules/passwd/sha2/README b/contrib/slapd-modules/passwd/sha2/README index 68cc62f2be..11bbe1e38e 100644 --- a/contrib/slapd-modules/passwd/sha2/README +++ b/contrib/slapd-modules/passwd/sha2/README @@ -1,13 +1,9 @@ -SHA-512 OpenLDAP support ------------------------- +SHA-2 OpenLDAP support +---------------------- - Based on SHA2 implementation by Aaron D. Gifford (http://www.aarongifford.com/), also used in OpenBSD. - Adapted for OpenLDAP use by Jeff Turner - Distributed under open source BSD license - see code for details. - - -slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in -OpenLDAP. For instance, one could have the LDAP attribute: +slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256, +SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For +instance, one could have the LDAP attribute: userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== @@ -25,20 +21,16 @@ all of which encode the password 'secret'. Building -------- -1) Obtain the OpenLDAP source, eg. 'apt-get source slapd'. Really we -only want the headers, but there doesn't seem to be a Debian package -with them. - -2) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP +1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP source root. -For initial testing you might also want to edit CCFLAGS to define +For initial testing you might also want to edit DEFS to define SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on in production, as it prints passwords in cleartext). -3) Run 'make' to produce slapd-sha2.so +2) Run 'make' to produce slapd-sha2.so -4) Copy slapd-sha2.so somewhere permanent. +3) Copy slapd-sha2.so somewhere permanent. 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: @@ -46,7 +38,19 @@ moduleload ...path/to/slapd-sha2.so 5) Restart slapd. -The {SHA512} scheme should now be recognised. + +Configuring +----------- + +The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512} +password schemes should now be recognised. + +You can also tell OpenLDAP to use one of these new schemes when processing LDAP +Password Modify Extended Operations, thanks to the password-hash option in +slapd.conf. For example: + +password-hash {SSHA512} + Testing ------- @@ -55,7 +59,7 @@ A quick way to test whether it's working is to customize the rootdn and rootpw in slapd.conf, eg: rootdn "cn=admin,dc=example,dc=com" -# This encrypts the string 'secret' +# This encrypts the string 'secret' rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= @@ -72,7 +76,7 @@ $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= $ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64 WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt -$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 +$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm W192CF5bDufKRpayrW/isg== @@ -81,51 +85,60 @@ W192CF5bDufKRpayrW/isg== Alternatively we could modify an existing user's password with -ldapmodify, and then test binding as that user: - -$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W -Enter LDAP Password: -dn: uid=jturner,ou=People,dc=example,dc=com -changetype: modify -replace: userPassword -userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== +ldappasswd, and then test binding as that user: -modifying entry "uid=jturner,ou=People,dc=example,dc=com" +$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com +New password: secret +Re-enter new password: secret +Enter LDAP Password: $ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret -Debugging ---------- +Debugging (SHA-512, SHA-384 and SHA-256 only) +--------------------------------------------- To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the -commented-out CCFLAGS in Makefile), and then run slapd from the console +commented-out DEFS in Makefile), and then run slapd from the console to see stderr: $ sudo /etc/init.d/slapd stop Stopping OpenLDAP: slapd. -$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256 +$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats @(#) $OpenLDAP$ buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd -/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges. -/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges. slapd starting ... Validating password - Password to validate: secret - Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= - Stored password scheme: {SHA256} - Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= - -> Passwords match + Hash scheme: {SHA256} + Password to validate: secret + Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Result: match conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" conn=0 fd=12 closed (connection lost) +--- + +This work is part of OpenLDAP Software . + +Copyright 2009-2014 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +. +--- -Origin ------- +ACKNOWLEDGEMENT: +This work was initially developed by Jeff Turner for inclusion in +OpenLDAP Software, based upon the SHA-2 implementation independently +developed by Aaron Gifford. -Based on code maintained at: -http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256%2C+SHA-384%2C+SHA-512)+and+atlassian-sha1+passwords