Added slapd modrdn children check (ITS#1053,1192)
Added slapd sb_max_incoming_auth support (ITS#1181)
Added slapd DB_ENV support
+ Added slapd crypt salt format support (ITS#1202)
Updated slapd schema check handling
Updated ldbm to use BerkeleyDB's CDB (ITS#1176)
Updated slapd filter checks
routines can be used test a URL to see if it is an LDAP URL, to parse LDAP
URLs into their component pieces, and to initiate searches directly using
an LDAP URL.
-.SH USER FRIENDLY NAMING
-The
-.BR ldap_ufn (3)
-routines implement a user friendly naming
-scheme via LDAP. This scheme allows you to look up entries
-using fuzzy, untyped names like "john smith, example corp, ca, us".
.SH CACHING
The
.BR ldap_cache (3)
.SM ldap_explode_rdn(3)
convert a RDN into its component parts
.TP
-.SM ldap_dn2ufn(3)
-convert a DN into user friendly form
-.TP
.SM ldap_get_values(3)
return an attribute's values
.TP
.SM ldap_search_st(3)
synchronously search the directory with timeout
.TP
-.SM ldap_ufn_search_s(3)
-user friendly search the directory
-.TP
-.SM ldap_ufn_search_c(3)
-user friendly search the directory with cancel
-.TP
-.SM ldap_ufn_search_ct(3)
-user friendly search the directory with cancel and timeout
-.TP
-.SM ldap_ufn_setfilter(3)
-set filter file used by ldap_ufn(3) routines
-.TP
-.SM ldap_ufn_setprefix(3)
-set prefix used by ldap_ufn(3) routines
-.TP
-.SM ldap_ufn_timeout(3)
-set timeout used by ldap_ufn(3) routines
-.TP
.SM ldap_is_ldap_url(3)
check a URL string to see if it is an LDAP URL
.TP
.\" Copyright 1998-2000 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
-ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s, ldap_set_rebind_proc \- LDAP bind routines
+ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_kerberos_bind2, ldap_kerberos_bind2_s, ldap_unbind, ldap_unbind_s \- LDAP bind routines
.SH SYNOPSIS
.nf
.ft B
int ldap_unbind_s(ld)
.ft
LDAP *ld;
-.LP
-.ft B
-void ldap_set_rebind_proc( ld, rebindproc )
-.ft
-LDAP *ld;
-int (*rebindproc)();
+.\" .LP
+.\" .ft B
+.\" void ldap_set_rebind_proc( ld, rebindproc )
+.\" .ft
+.\" LDAP *ld;
+.\" int (*rebindproc)();
.SH DESCRIPTION
.LP
These routines provide various interfaces to the LDAP bind operation.
call is just another name for
.BR ldap_unbind() ;
both of these calls are synchronous in nature.
-.SH RE-BINDING WHILE FOLLOWING REFERRALS
-The
-.B ldap_set_rebind_proc()
-call is used to set a routine that will be called back to obtain bind
-credentials used when a new server is contacted during the following of
-an LDAP referral. Note that this function is only available when the
-LDAP libraries are compiled with LDAP_REFERRALS defined and is only
-used when the ld_options field in the LDAP structure has
-LDAP_OPT_REFERRALS set (this is the default). If
-.B ldap_set_rebind_proc()
-is never called, or if it is called with a NULL \fIrebindproc\fP
-parameter, an unauthenticated simple LDAP bind will always be done
-when chasing referrals.
-.LP
-\fIrebindproc\fP should be a function that is declared like this:
-.LP
-.nf
-int rebindproc( LDAP *ld, char **whop, char **credp,
- int *methodp, int freeit );
-.fi
-.LP
-The LDAP library will first call the rebindproc to obtain the
-referral bind credentials, and the \fIfreeit\fP parameter will be
-zero. The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be
-set as appropriate. If the rebindproc returns LDAP_SUCCESS, referral
-processing continues, and the rebindproc will be called a second
-time with \fIfreeit\fP non-zero to give your application a chance to
-free any memory allocated in the previous call.
-.LP
-If anything but LDAP_SUCCESS is returned by the first call to
-the rebindproc, then referral processing is stopped and that error code
-is returned for the original LDAP operation.
+.\" .SH RE-BINDING WHILE FOLLOWING REFERRALS
+.\" The
+.\" .B ldap_set_rebind_proc()
+.\" call is used to set a routine that will be called back to obtain bind
+.\" credentials used when a new server is contacted during the following of
+.\" an LDAP referral. Note that this function is only available when the
+.\" LDAP libraries are compiled with LDAP_REFERRALS defined and is only
+.\" used when the ld_options field in the LDAP structure has
+.\" LDAP_OPT_REFERRALS set (this is the default). If
+.\" .B ldap_set_rebind_proc()
+.\" is never called, or if it is called with a NULL \fIrebindproc\fP
+.\" parameter, an unauthenticated simple LDAP bind will always be done
+.\" when chasing referrals.
+.\" .LP
+.\" \fIrebindproc\fP should be a function that is declared like this:
+.\" .LP
+.\" .nf
+.\" int rebindproc( LDAP *ld, char **whop, char **credp,
+.\" int *methodp, int freeit );
+.\" .fi
+.\" .LP
+.\" The LDAP library will first call the rebindproc to obtain the
+.\" referral bind credentials, and the \fIfreeit\fP parameter will be
+.\" zero. The \fIwhop\fP, \fIcredp\fP, and \fImethodp\fP should be
+.\" set as appropriate. If the rebindproc returns LDAP_SUCCESS, referral
+.\" processing continues, and the rebindproc will be called a second
+.\" time with \fIfreeit\fP non-zero to give your application a chance to
+.\" free any memory allocated in the previous call.
+.\" .LP
+.\" If anything but LDAP_SUCCESS is returned by the first call to
+.\" the rebindproc, then referral processing is stopped and that error code
+.\" is returned for the original LDAP operation.
.SH ERRORS
Asynchronous routines will return -1 in case of error, setting the
\fIld_errno\fP parameter of the \fIld\fP structure. Synchronous
ldap_unbind_ext.3
ldap_unbind_s.3
ldap_unbind_ext_s.3
-ldap_set_rebind_proc.3
.fi
.SH DESCRIPTION
.LP
-These routines are used to control the behavior of client caching of
+These routines are used to control the behavior of the
+.B experimental
+client caching of
.BR ldap_search (3)
and
.BR ldap_compare (3)
The default is
.BR {SSHA} .
.TP
+.B password-crypt-salt-format <format>
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./]. For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt. The default is "%s", which
+provides 31 characters of salt.
+.TP
.B pidfile <filename>
The ( absolute ) name of a file that will hold the
.B slapd
.B [\-u]
.B [\-s secret]
.B [\-h hash]
+.B [\-c salt-format]
.B
.LP
.SH DESCRIPTION
or
.BR slapd.conf (5)
.I rootpw
-coniguration directive.
+configuration directive.
.SH OPTIONS
.TP
.B \-v
enable verbose mode.
+.TP
.B \-u
-generate RFC2307 userPassword values (the default). Future
+Generate RFC2307 userPassword values (the default). Future
versions of this program may generate alternative syntaxes
by default. This option is provided for forward compatibility.
.TP
The secret to hash. If not provided, the user will be prompted
for the secret to hash.
.TP
+.BI \-h " scheme"
If -h is specified, one of the following RFC2307 schemes may
be specified:
.IR {CRYPT} ,
.IR {SHA} .
The default is
.IR {SSHA} .
-.LP
+.TP
+.BI \-c " crypt-salt-format"
+Specify the format of the salt passed to
+.BR crypt (3)
+when generating {CRYPT} passwords.
+This string needs to be in
+.BR sprintf (3)
+format and may include one (and only one) %s conversion.
+This conversion will be substituted with a string random
+characters from [A\-Za\-z0\-9./]. For example, "%.2s"
+provides a two character salt and "$1$%.8s" tells some
+versions of crypt(3) to use an MD5 algorithm and provides
+8 random characters of salt. The default is "%s", which
+provides 31 characters of salt.
.SH LIMITATIONS
The practice storing hashed passwords in userPassword violates
Standard Track (RFC2256) schema specifications and may hinder
lutil_passwd_scheme LDAP_P((
const char *scheme ));
+LDAP_LUTIL_F( int )
+lutil_salt_format LDAP_P((
+ const char *format ));
+
/* utils.c */
LDAP_LUTIL_F( char* )
lutil_progname LDAP_P((
static const unsigned char crypt64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
+#ifdef SLAPD_CRYPT
+static const char *salt_format = NULL;
+#endif
+
struct pw_scheme;
typedef int (*PASSWD_CHK_FUNC)(
const struct berval *passwd )
{
struct berval hash;
- unsigned char salt[3];
+ unsigned char salt[32]; /* salt suitable for most anything */
int i;
for( i=0; i<passwd->bv_len; i++) {
return NULL; /* passwd must behave like a string */
}
- if( lutil_entropy( salt, sizeof(salt)) < 0 ) {
+ if( lutil_entropy( salt, sizeof( salt ) ) < 0 ) {
return NULL;
}
- salt[0] = crypt64[ salt[0] % (sizeof(crypt64)-1) ];
- salt[1] = crypt64[ salt[1] % (sizeof(crypt64)-1) ];
- salt[2] = '\0';
+ for( i=0; i< ( sizeof(salt) - 1 ); i++ ) {
+ salt[i] = crypt64[ salt[i] % (sizeof(crypt64)-1) ];
+ }
+ salt[sizeof( salt ) - 1 ] = '\0';
+
+ if( salt_format != NULL ) {
+ /* copy the salt we made into entropy before snprintfing
+ it back into the salt */
+ char entropy[sizeof(salt)];
+ strcpy( entropy, salt );
+ snprintf( salt, sizeof(entropy), salt_format, entropy );
+ }
hash.bv_val = crypt( passwd->bv_val, salt );
return pw_string( scheme, &hash );
}
#endif
+
+int lutil_salt_format(const char *format)
+{
+#ifdef SLAPD_CRYPT
+ free(salt_format);
+
+ salt_format = format != NULL ? strdup(format) : NULL;
+#endif
+
+ return 0;
+}
default_passwd_hash = ch_strdup( cargv[1] );
}
+ } else if ( strcasecmp( cargv[0], "password-crypt-salt-format" ) == 0 )
+ {
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: missing format in "
+ "\"password-crypt-salt-format <format>\" line\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ lutil_salt_format( cargv[1] );
+
/* set SASL host */
} else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
if ( cargc < 2 ) {
"Usage: %s [options]\n"
" -h hash\tpassword scheme\n"
" -s secret\tnew password\n"
+ " -c format\tcrypt(3) salt format\n"
" -u\t\tgenerate RFC2307 values (default)\n"
" -v\t\tincrease verbosity\n"
, s );
struct berval *hash = NULL;
while( (i = getopt( argc, argv,
- "d:h:s:vu" )) != EOF )
+ "c:d:h:s:vu" )) != EOF )
{
switch (i) {
+ case 'c': /* crypt salt format */
+ scheme = "{CRYPT}";
+ lutil_salt_format( optarg );
+ break;
+
case 'h': /* scheme */
- scheme = strdup (optarg);
+ scheme = strdup( optarg );
break;
case 's': /* new password (secret) */
- newpw = strdup (optarg);
-
{
char* p;
+ newpw = strdup( optarg );
for( p = optarg; *p != '\0'; p++ ) {
*p = '\0';
}
- }
- break;
+
+ } break;
case 'u': /* RFC2307 userPassword */
break;