1
SHA-512 OpenLDAP support
2
------------------------
4
Based on SHA2 implementation by Aaron D. Gifford (http://www.aarongifford.com/), also used in OpenBSD.
5
Adapted for OpenLDAP use by Jeff Turner <jeff@atlassian.com>
6
Distributed under open source BSD license - see code for details.
9
slapd-sha2.c provides support for SHA-512, SHA-384 and SHA-256 hashed passwords in
10
OpenLDAP. For instance, one could have the LDAP attribute:
12
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
16
userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
20
userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
22
all of which encode the password 'secret'.
28
1) Obtain the OpenLDAP source, eg. 'apt-get source slapd'. Really we
29
only want the headers, but there doesn't seem to be a Debian package
32
2) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP
35
For initial testing you might also want to edit CCFLAGS to define
36
SLAPD_SHA2_DEBUG, which enables logging to stderr (don't leave this on
37
in production, as it prints passwords in cleartext).
39
3) Run 'make' to produce slapd-sha2.so
41
4) Copy slapd-sha2.so somewhere permanent.
43
4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
45
moduleload ...path/to/slapd-sha2.so
49
The {SHA512} scheme should now be recognised.
54
A quick way to test whether it's working is to customize the rootdn and
55
rootpw in slapd.conf, eg:
57
rootdn "cn=admin,dc=example,dc=com"
58
# This encrypts the string 'secret'
60
rootpw {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
62
Then to test, run something like:
64
ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret
69
Test hashes can be generated with openssl:
71
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64
72
K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
73
$ echo -n "secret" | openssl dgst -sha384 -binary | openssl enc -base64
74
WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
75
$ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
76
vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cm
77
W192CF5bDufKRpayrW/isg==
79
(join those lines up to form the full hash)
83
Alternatively we could modify an existing user's password with
84
ldapmodify, and then test binding as that user:
86
$ ldapmodify -D "cn=admin,dc=example,dc=com" -x -W
88
dn: uid=jturner,ou=People,dc=example,dc=com
91
userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
93
modifying entry "uid=jturner,ou=People,dc=example,dc=com"
95
$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret
101
To see what's going on, recompile with SLAPD_SHA2_DEBUG (use the
102
commented-out CCFLAGS in Makefile), and then run slapd from the console
105
$ sudo /etc/init.d/slapd stop
106
Stopping OpenLDAP: slapd.
107
$ sudo /usr/sbin/slapd -f /etc/ldap/slapd.conf -h ldap://localhost:389 -d 256
108
@(#) $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/sha2/README,v 1.1.2.1 2009/01/26 21:07:06 quanah Exp $
109
buildd@palmer:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
110
/etc/ldap/slapd.conf: line 123: rootdn is always granted unlimited privileges.
111
/etc/ldap/slapd.conf: line 140: rootdn is always granted unlimited privileges.
115
Password to validate: secret
116
Hashes to: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
117
Stored password scheme: {SHA256}
118
Stored password value: K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
120
conn=0 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
121
conn=0 op=0 RESULT tag=97 err=0 text=
122
conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
123
conn=0 fd=12 closed (connection lost)
130
Based on code maintained at:
131
http://confluence.atlassian.com/display/JIRAEXT/OpenLDAP+support+for+SHA-2+(SHA-256%2C+SHA-384%2C+SHA-512)+and+atlassian-sha1+passwords