severity 746727 wishlist tags 746727 - upstream + confirmed pending thanks Hi Michael,
On 02/05/14 02:19 PM, Michael Przybylski wrote: > I ran into a particularly vexing problem with OpenLDAP: > I populated a user record with a SSHA-512 user password via Apache Directory > Studio and could verify that the password was correct, but I always got an > "invalid credentials" error when trying to bind with that dn and password. > > As a workaround, I changed the userPassword fromat to SSHA, and was able to > bind successfully. > > Could you please build and include this module with the slapd package? > https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2 Thanks for this suggestion. It was straightforward to add building and installing this module to the package, and it seems to work properly, f.ex. with olcPasswordHash set to a SHA2 hash. I've committed it to the Git repository. The implementation is Aaron Gifford's sha2.c, released under a BSD license that is very similar to the OpenLDAP license. I think it should be OK to use. slappasswd(8) doesn't load additional modules by default, so to test generating such a password by hand (f.ex. to use as olcRootPW) I had to tell it to load the module: /usr/sbin/slappasswd -o module-load=pw-sha2 -h '{SSHA512}' I wanted to check the behaviour when dealing with a malformed hash, so I generated a hash with slappasswd(8) and copied it into olcRootPW, but truncated it a couple of characters before the end. Then slapd(8) crashed in SHA512_Transform (in sha2.c) when I tried to authenticate! I performed the same exercise with a built-in hash (SSHA) and got "Invalid credentials" instead of a crash. Obviously passwords set using ldappasswd(1) wouldn't have that problem, but it makes me wonder whether it contains other bugs. (Yes, I'll try to find time to fix this one soon.) > Furthermore, would you please consider loading it by default when debconf > builds a new slapd.d? I personally think the default configuration should load only the strictly needed modules, and wait for the administrator to add more. I'm especially not enthusiastic about depending on code from contrib/ in the default setup, because it doesn't receive as much attention from the OpenLDAP maintainers as the core code does; see for example the crasher I already found. So for those reasons I have not made that change. Maybe another committer has a different opinion. thanks, Ryan
commit 4207c36b7d83456ba51d2ab487365ee039cf3fd3 Author: Ryan Tandy <r...@nardis.ca> Date: Sun May 4 15:13:18 2014 -0700 build and install pw-sha2 contrib module (#746727) diff --git a/debian/changelog b/debian/changelog index cec3599..9ea1589 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,8 @@ openldap (2.4.39-2) UNRELEASED; urgency=low - Don't silently ignore nonexistent directories that should be dumped. - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a symlink. (Closes: #742862) + * debian/rules, debian/patches/pw-sha2-makefile: Build and install the sha2 + password module. (Closes: #746727) [ Jelmer Vernooij ] * Depend on heimdal-multidev rather than heimdal-dev. diff --git a/debian/patches/pw-sha2-makefile b/debian/patches/pw-sha2-makefile new file mode 100644 index 0000000..6603c68 --- /dev/null +++ b/debian/patches/pw-sha2-makefile @@ -0,0 +1,44 @@ +--- a/contrib/slapd-modules/passwd/sha2/Makefile ++++ b/contrib/slapd-modules/passwd/sha2/Makefile +@@ -2,11 +2,11 @@ + + LDAP_SRC = ../../../.. + LDAP_BUILD = ../../../.. +-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ +- $(LDAP_BUILD)/libraries/liblber/liblber.la ++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/debian/build/servers/slapd -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd ++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \ ++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la + +-LIBTOOL = $(LDAP_BUILD)/libtool ++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool + CC = gcc + OPT = -g -O2 -Wall + DEFS = +@@ -17,13 +17,13 @@ + PROGRAMS = pw-sha2.la + LTVER = 0:0:0 + +-prefix=/usr/local ++prefix=/usr + exec_prefix=$(prefix) +-ldap_subdir=/openldap ++ldap_subdir=/ldap + + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec +-moduledir = $(libexecdir)$(ldap_subdir) ++moduledir = $(libdir)$(ldap_subdir) + + .SUFFIXES: .c .o .lo + +@@ -37,7 +37,7 @@ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +- rm -rf *.o *.lo *.la .libs ++ $(LIBTOOL) --mode=clean rm -f + + install: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) diff --git a/debian/patches/series b/debian/patches/series index aa9f65a..2239b82 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -20,3 +20,4 @@ switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff no-bdb-ABI-second-guessing heimdal-fix 0001-ITS-7723-fix-reference-counting.patch +pw-sha2-makefile diff --git a/debian/rules b/debian/rules index 3cc14a9..d0c8d44 100755 --- a/debian/rules +++ b/debian/rules @@ -89,11 +89,13 @@ override_dh_auto_build: dh_auto_build -- $(MAKEVARS) $(MAKE) -C contrib/slapd-modules/smbk5pwd $(MAKE) -C contrib/slapd-modules/autogroup + $(MAKE) -C contrib/slapd-modules/passwd/sha2 override_dh_auto_install: dh_auto_install -- $(MAKEVARS) $(MAKE) -C contrib/slapd-modules/smbk5pwd install DESTDIR=$(installdir) $(MAKE) -C contrib/slapd-modules/autogroup install DESTDIR=$(installdir) + $(MAKE) -C contrib/slapd-modules/passwd/sha2 install DESTDIR=$(installdir) # Empty the dependency_libs file in the .la files. for F in $(installdir)/usr/lib/ldap/*.la; do \ @@ -181,3 +183,9 @@ override_dh_auto_clean: contrib/slapd-modules/autogroup/autogroup.lo \ contrib/slapd-modules/autogroup/autogroup.la \ contrib/slapd-modules/autogroup/autogroup.o + rm -rf contrib/slapd-modules/passwd/sha2/.libs \ + contrib/slapd-modules/passwd/sha2/pw-sha2.la \ + contrib/slapd-modules/passwd/sha2/sha2.lo \ + contrib/slapd-modules/passwd/sha2/sha2.o \ + contrib/slapd-modules/passwd/sha2/slapd-sha2.lo \ + contrib/slapd-modules/passwd/sha2/slapd-sha2.o