Public bug reported: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap.
The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description: Ubuntu 22.10 Release: 22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Patch added: "openldap-contrib-sha2.patch" https://bugs.launchpad.net/bugs/2000817/+attachment/5638696/+files/openldap-contrib-sha2.patch -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to openldap in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : enterprise-support@lists.launchpad.net Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp