X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=contrib%2Fslapd-modules%2Fpasswd%2Fsha2%2FREADME;h=f91fd5d2ad7f9a82f0cbb6f94f45d96aa97be893;hb=9ac070beb39ea164633914151f1c1a159d870730;hp=50054e6807f3674c0c669db80c96ee3949befafa;hpb=fc1396fa2e94ee2e752fd7c3ea5bb22f6592398a;p=openldap diff --git a/contrib/slapd-modules/passwd/sha2/README b/contrib/slapd-modules/passwd/sha2/README index 50054e6807..f91fd5d2ad 100644 --- a/contrib/slapd-modules/passwd/sha2/README +++ b/contrib/slapd-modules/passwd/sha2/README @@ -1,8 +1,9 @@ -SHA-512 OpenLDAP support ------------------------- +SHA-2 OpenLDAP support +---------------------- -slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in -OpenLDAP. For instance, one could have the LDAP attribute: +slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256, +SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For +instance, one could have the LDAP attribute: userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== @@ -23,7 +24,7 @@ Building 1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP source root. -For initial testing you might also want to edit CCFLAGS to define +For initial testing you might also want to edit DEFS to define SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on in production, as it prints passwords in cleartext). @@ -41,13 +42,14 @@ moduleload ...path/to/slapd-sha2.so Configuring ----------- -The {SHA256}, {SHA384} and {SHA512} password schemes should now be recognised. +The {SSHA256}, {SSHA384}, {SSHA512}, {SSHA256}, {SHA384} and {SHA512} +password schemes should now be recognised. You can also tell OpenLDAP to use one of these new schemes when processing LDAP Password Modify Extended Operations, thanks to the password-hash option in slapd.conf. For example: -password-hash {SHA256} +password-hash {SSHA512} Testing @@ -57,7 +59,7 @@ A quick way to test whether it's working is to customize the rootdn and rootpw in slapd.conf, eg: rootdn "cn=admin,dc=example,dc=com" -# This encrypts the string 'secret' +# This encrypts the string 'secret' rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= @@ -74,7 +76,7 @@ $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= $ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64 WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt -$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 +$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64 vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm W192CF5bDufKRpayrW/isg== @@ -83,42 +85,36 @@ W192CF5bDufKRpayrW/isg== Alternatively we could modify an existing user's password with -ldapmodify, and then test binding as that user: +ldappasswd, and then test binding as that user: -$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W -Enter LDAP Password: -dn: uid=jturner,ou=People,dc=example,dc=com -changetype: modify -replace: userPassword -userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== - -modifying entry "uid=jturner,ou=People,dc=example,dc=com" +$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com +New password: secret +Re-enter new password: secret +Enter LDAP Password: $ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret -Debugging ---------- +Debugging (SHA-512, SHA-384 and SHA-256 only) +--------------------------------------------- To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the -commented-out CCFLAGS in Makefile), and then run slapd from the console +commented-out DEFS in Makefile), and then run slapd from the console to see stderr: $ sudo /etc/init.d/slapd stop Stopping OpenLDAP: slapd. -$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256 +$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d stats @(#) $OpenLDAP$ buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd -/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges. -/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges. slapd starting ... Validating password - Password to validate: secret - Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= - Stored password scheme: {SHA256} - Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= - -> Passwords match + Hash scheme: {SHA256} + Password to validate: secret + Password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Stored password hash: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= + Result: match conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" @@ -128,7 +124,7 @@ conn=0 fd=12 closed (connection lost) This work is part of OpenLDAP Software . -Copyright 2009-2012 The OpenLDAP Foundation. +Copyright 2009-2013 The OpenLDAP Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -143,6 +139,6 @@ top-level directory of the distribution or, alternatively, at ACKNOWLEDGEMENT: This work was initially developed by Jeff Turner for inclusion in -OpenLDAP Software, based upon the SHA2 implementation independently +OpenLDAP Software, based upon the SHA-2 implementation independently developed by Aaron Gifford.