From: Kurt Zeilenga Date: Thu, 14 Jun 2001 02:04:07 +0000 (+0000) Subject: Import crypt salt format and misc manual page updates from HEAD X-Git-Tag: OPENLDAP_REL_ENG_2_0_12~61 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=1df6e4297402a2c6a7158eae8182d9ad177cedbf;p=openldap Import crypt salt format and misc manual page updates from HEAD --- diff --git a/CHANGES b/CHANGES index 40e0814625..8ebb32444f 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,7 @@ OpenLDAP 2.0.12 Engineering Added slapd modrdn children check (ITS#1053,1192) Added slapd sb_max_incoming_auth support (ITS#1181) Added slapd DB_ENV support + Added slapd crypt salt format support (ITS#1202) Updated slapd schema check handling Updated ldbm to use BerkeleyDB's CDB (ITS#1176) Updated slapd filter checks diff --git a/doc/man/man3/ldap.3 b/doc/man/man3/ldap.3 index 33b60534a3..c24335b478 100644 --- a/doc/man/man3/ldap.3 +++ b/doc/man/man3/ldap.3 @@ -91,12 +91,6 @@ The routines can be used test a URL to see if it is an LDAP URL, to parse LDAP URLs into their component pieces, and to initiate searches directly using an LDAP URL. -.SH USER FRIENDLY NAMING -The -.BR ldap_ufn (3) -routines implement a user friendly naming -scheme via LDAP. This scheme allows you to look up entries -using fuzzy, untyped names like "john smith, example corp, ca, us". .SH CACHING The .BR ldap_cache (3) @@ -310,9 +304,6 @@ convert a DN into its component parts .SM ldap_explode_rdn(3) convert a RDN into its component parts .TP -.SM ldap_dn2ufn(3) -convert a DN into user friendly form -.TP .SM ldap_get_values(3) return an attribute's values .TP @@ -391,24 +382,6 @@ synchronously search the directory .SM ldap_search_st(3) synchronously search the directory with timeout .TP -.SM ldap_ufn_search_s(3) -user friendly search the directory -.TP -.SM ldap_ufn_search_c(3) -user friendly search the directory with cancel -.TP -.SM ldap_ufn_search_ct(3) -user friendly search the directory with cancel and timeout -.TP -.SM ldap_ufn_setfilter(3) -set filter file used by ldap_ufn(3) routines -.TP -.SM ldap_ufn_setprefix(3) -set prefix used by ldap_ufn(3) routines -.TP -.SM ldap_ufn_timeout(3) -set timeout used by ldap_ufn(3) routines -.TP .SM ldap_is_ldap_url(3) check a URL string to see if it is an LDAP URL .TP diff --git a/doc/man/man3/ldap_bind.3 b/doc/man/man3/ldap_bind.3 index 4eb5d82101..84251abec5 100644 --- a/doc/man/man3/ldap_bind.3 +++ b/doc/man/man3/ldap_bind.3 @@ -3,7 +3,7 @@ .\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .SH NAME -ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s, ldap_set_rebind_proc \- LDAP bind routines +ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s \- LDAP bind routines .SH SYNOPSIS .nf .ft B @@ -74,12 +74,12 @@ LDAP *ld; int ldap_unbind_s(ld) .ft LDAP *ld; -.LP -.ft B -void ldap_set_rebind_proc( ld, rebindproc ) -.ft -LDAP *ld; -int (*rebindproc)(); +.\" .LP +.\" .ft B +.\" void ldap_set_rebind_proc( ld, rebindproc ) +.\" .ft +.\" LDAP *ld; +.\" int (*rebindproc)(); .SH DESCRIPTION .LP These routines provide various interfaces to the LDAP bind operation. @@ -154,38 +154,38 @@ The call is just another name for .BR ldap_unbind() ; both of these calls are synchronous in nature. -.SH RE-BINDING WHILE FOLLOWING REFERRALS -The -.B ldap_set_rebind_proc() -call is used to set a routine that will be called back to obtain bind -credentials used when a new server is contacted during the following of -an LDAP referral. Note that this function is only available when the -LDAP libraries are compiled with LDAP_REFERRALS defined and is only -used when the ld_options field in the LDAP structure has -LDAP_OPT_REFERRALS set (this is the default). If -.B ldap_set_rebind_proc() -is never called, or if it is called with a NULL \fIrebindproc\fP -parameter, an unauthenticated simple LDAP bind will always be done -when chasing referrals. -.LP -\fIrebindproc\fP should be a function that is declared like this: -.LP -.nf -int rebindproc( LDAP *ld, char **whop, char **credp, - int *methodp, int freeit ); -.fi -.LP -The LDAP library will first call the rebindproc to obtain the -referral bind credentials, and the \fIfreeit\fP parameter will be -zero. The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be -set as appropriate. If the rebindproc returns LDAP_SUCCESS, referral -processing continues, and the rebindproc will be called a second -time with \fIfreeit\fP non-zero to give your application a chance to -free any memory allocated in the previous call. -.LP -If anything but LDAP_SUCCESS is returned by the first call to -the rebindproc, then referral processing is stopped and that error code -is returned for the original LDAP operation. +.\" .SH RE-BINDING WHILE FOLLOWING REFERRALS +.\" The +.\" .B ldap_set_rebind_proc() +.\" call is used to set a routine that will be called back to obtain bind +.\" credentials used when a new server is contacted during the following of +.\" an LDAP referral. Note that this function is only available when the +.\" LDAP libraries are compiled with LDAP_REFERRALS defined and is only +.\" used when the ld_options field in the LDAP structure has +.\" LDAP_OPT_REFERRALS set (this is the default). If +.\" .B ldap_set_rebind_proc() +.\" is never called, or if it is called with a NULL \fIrebindproc\fP +.\" parameter, an unauthenticated simple LDAP bind will always be done +.\" when chasing referrals. +.\" .LP +.\" \fIrebindproc\fP should be a function that is declared like this: +.\" .LP +.\" .nf +.\" int rebindproc( LDAP *ld, char **whop, char **credp, +.\" int *methodp, int freeit ); +.\" .fi +.\" .LP +.\" The LDAP library will first call the rebindproc to obtain the +.\" referral bind credentials, and the \fIfreeit\fP parameter will be +.\" zero. The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be +.\" set as appropriate. If the rebindproc returns LDAP_SUCCESS, referral +.\" processing continues, and the rebindproc will be called a second +.\" time with \fIfreeit\fP non-zero to give your application a chance to +.\" free any memory allocated in the previous call. +.\" .LP +.\" If anything but LDAP_SUCCESS is returned by the first call to +.\" the rebindproc, then referral processing is stopped and that error code +.\" is returned for the original LDAP operation. .SH ERRORS Asynchronous routines will return -1 in case of error, setting the \fIld_errno\fP parameter of the \fIld\fP structure. Synchronous diff --git a/doc/man/man3/ldap_bind.3.links b/doc/man/man3/ldap_bind.3.links index ae1b7b86c6..793eb8d66a 100644 --- a/doc/man/man3/ldap_bind.3.links +++ b/doc/man/man3/ldap_bind.3.links @@ -12,4 +12,3 @@ ldap_unbind.3 ldap_unbind_ext.3 ldap_unbind_s.3 ldap_unbind_ext_s.3 -ldap_set_rebind_proc.3 diff --git a/doc/man/man3/ldap_cache.3 b/doc/man/man3/ldap_cache.3 index c0b356c343..c60842ecf8 100644 --- a/doc/man/man3/ldap_cache.3 +++ b/doc/man/man3/ldap_cache.3 @@ -52,7 +52,9 @@ unsigned long opts; .fi .SH DESCRIPTION .LP -These routines are used to control the behavior of client caching of +These routines are used to control the behavior of the +.B experimental +client caching of .BR ldap_search (3) and .BR ldap_compare (3) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index ef5aa5d727..f00f54f955 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -247,6 +247,20 @@ and The default is .BR {SSHA} . .TP +.B password-crypt-salt-format +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords. +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) %s conversion. +This conversion will be substituted with a string random +characters from [A\-Za\-z0\-9./]. For example, "%.2s" +provides a two character salt and "$1$%.8s" tells some +versions of crypt(3) to use an MD5 algorithm and provides +8 random characters of salt. The default is "%s", which +provides 31 characters of salt. +.TP .B pidfile The ( absolute ) name of a file that will hold the .B slapd diff --git a/doc/man/man8/slappasswd.8 b/doc/man/man8/slappasswd.8 index 77ffd39490..8321419b42 100644 --- a/doc/man/man8/slappasswd.8 +++ b/doc/man/man8/slappasswd.8 @@ -10,6 +10,7 @@ slappasswd \- OpenLDAP password utility .B [\-u] .B [\-s secret] .B [\-h hash] +.B [\-c salt-format] .B .LP .SH DESCRIPTION @@ -21,13 +22,14 @@ suitable for use with or .BR slapd.conf (5) .I rootpw -coniguration directive. +configuration directive. .SH OPTIONS .TP .B \-v enable verbose mode. +.TP .B \-u -generate RFC2307 userPassword values (the default). Future +Generate RFC2307 userPassword values (the default). Future versions of this program may generate alternative syntaxes by default. This option is provided for forward compatibility. .TP @@ -35,6 +37,7 @@ by default. This option is provided for forward compatibility. The secret to hash. If not provided, the user will be prompted for the secret to hash. .TP +.BI \-h " scheme" If -h is specified, one of the following RFC2307 schemes may be specified: .IR {CRYPT} , @@ -44,7 +47,20 @@ be specified: .IR {SHA} . The default is .IR {SSHA} . -.LP +.TP +.BI \-c " crypt-salt-format" +Specify the format of the salt passed to +.BR crypt (3) +when generating {CRYPT} passwords. +This string needs to be in +.BR sprintf (3) +format and may include one (and only one) %s conversion. +This conversion will be substituted with a string random +characters from [A\-Za\-z0\-9./]. For example, "%.2s" +provides a two character salt and "$1$%.8s" tells some +versions of crypt(3) to use an MD5 algorithm and provides +8 random characters of salt. The default is "%s", which +provides 31 characters of salt. .SH LIMITATIONS The practice storing hashed passwords in userPassword violates Standard Track (RFC2256) schema specifications and may hinder diff --git a/include/lutil.h b/include/lutil.h index 4a6ae03637..7c5f3c5bcd 100644 --- a/include/lutil.h +++ b/include/lutil.h @@ -95,6 +95,10 @@ LDAP_LUTIL_F( int ) lutil_passwd_scheme LDAP_P(( const char *scheme )); +LDAP_LUTIL_F( int ) +lutil_salt_format LDAP_P(( + const char *format )); + /* utils.c */ LDAP_LUTIL_F( char* ) lutil_progname LDAP_P(( diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 8fc3a07ac9..a2cb60828a 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -57,6 +57,10 @@ static const unsigned char crypt64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./"; +#ifdef SLAPD_CRYPT +static const char *salt_format = NULL; +#endif + struct pw_scheme; typedef int (*PASSWD_CHK_FUNC)( @@ -1017,7 +1021,7 @@ static struct berval *hash_crypt( const struct berval *passwd ) { struct berval hash; - unsigned char salt[3]; + unsigned char salt[32]; /* salt suitable for most anything */ int i; for( i=0; ibv_len; i++) { @@ -1030,13 +1034,22 @@ static struct berval *hash_crypt( return NULL; /* passwd must behave like a string */ } - if( lutil_entropy( salt, sizeof(salt)) < 0 ) { + if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) { return NULL; } - salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ]; - salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ]; - salt[2] = '\0'; + for( i=0; i< ( sizeof(salt) - 1 ); i++ ) { + salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ]; + } + salt[sizeof( salt ) - 1 ] = '\0'; + + if( salt_format != NULL ) { + /* copy the salt we made into entropy before snprintfing + it back into the salt */ + char entropy[sizeof(salt)]; + strcpy( entropy, salt ); + snprintf( salt, sizeof(entropy), salt_format, entropy ); + } hash.bv_val = crypt( passwd->bv_val, salt ); @@ -1051,3 +1064,14 @@ static struct berval *hash_crypt( return pw_string( scheme, &hash ); } #endif + +int lutil_salt_format(const char *format) +{ +#ifdef SLAPD_CRYPT + free(salt_format); + + salt_format = format != NULL ? strdup(format) : NULL; +#endif + + return 0; +} diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 1017736560..f97e28ce62 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -320,6 +320,17 @@ read_config( const char *fname ) default_passwd_hash = ch_strdup( cargv[1] ); } + } else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 ) + { + if ( cargc < 2 ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: missing format in " + "\"password-crypt-salt-format \" line\n", + fname, lineno, 0 ); + return 1; + } + + lutil_salt_format( cargv[1] ); + /* set SASL host */ } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { if ( cargc < 2 ) { diff --git a/servers/slapd/tools/slappasswd.c b/servers/slapd/tools/slappasswd.c index 686132ef84..98d859a32e 100644 --- a/servers/slapd/tools/slappasswd.c +++ b/servers/slapd/tools/slappasswd.c @@ -31,6 +31,7 @@ usage(const char *s) "Usage: %s [options]\n" " -h hash\tpassword scheme\n" " -s secret\tnew password\n" + " -c format\tcrypt(3) salt format\n" " -u\t\tgenerate RFC2307 values (default)\n" " -v\t\tincrease verbosity\n" , s ); @@ -51,24 +52,28 @@ main( int argc, char *argv[] ) struct berval *hash = NULL; while( (i = getopt( argc, argv, - "d:h:s:vu" )) != EOF ) + "c:d:h:s:vu" )) != EOF ) { switch (i) { + case 'c': /* crypt salt format */ + scheme = "{CRYPT}"; + lutil_salt_format( optarg ); + break; + case 'h': /* scheme */ - scheme = strdup (optarg); + scheme = strdup( optarg ); break; case 's': /* new password (secret) */ - newpw = strdup (optarg); - { char* p; + newpw = strdup( optarg ); for( p = optarg; *p != '\0'; p++ ) { *p = '\0'; } - } - break; + + } break; case 'u': /* RFC2307 userPassword */ break;