Hi,
I need some help getting this SSHA512 support. I found the module in the
contrib directory passwd/sha2 but the README is still the old readme. It is
doesn't explain how to install the module after compliation.
This is what I was able to do so far
On a clean CentOS VM make OpenLDAP 2-4-40
sudo yum -y install git
mkdir openldap && cd openldap
git clone git://git.openldap.org/openldap.git .
git tag -l
git checkout tags/OPENLDAP_REL_ENG_2_4_40
sudo yum -y install gcc
export CXXFLAGS="$CXXFLAGS -fPIC"
sudo yum -y install db4 db4-devel
./configure
make depend
sudo make
sudo make install
Make the sha2 module
cd ~/openldap/contrib/slapd-modules/passwd/sha2
sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile
make
This results in a number of files pw-sha2.la sha2.lo sha2.o
slapd-sha2.lo slapd-sha2.o
The question now is how to install this on my target OpenLDAP server. I put
the files in /usr/lib64/openldap en dan tried to add the following
dn: cn=module{0},cn=config
changetype: modify
replace: olcModuleLoad
olcModuleLoad: slapd-sha2.la
This give me an error message
+ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f sha2.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcModuleLoad> handler exited with 1
adding new entry "cn=module{0},cn=config"
The readme only describes how this used to work. I followed the readme for
older version of OpenLDAP 2.4.23. This produces one file slapd-sha2.o
exactly as described in the readme. I was able to install this module using
this readme. Problem is that I need SSHA-512 which the older module does
not support.
Any tips or suggestions will be much appriacted
Thanks and Regards,
Onno
On Fri, Aug 29, 2014 at 9:15 AM, Quanah Gibson-Mount <[email protected]>
wrote:
> --On Friday, August 29, 2014 9:55 AM +0200 Ulrich Windl <
> [email protected]> wrote:
>
> Bram Cymet <[email protected]> schrieb am 28.08.2014 um 22:26 in
>>>>> Nachricht
>>>>>
>>>> <[email protected]>:
>>
>>> Hi,
>>>
>>> I am storing users passwords in a userPassword attribute. When the
>>> passwords are hashed with MD5 I can bind as the user just fine. If I
>>> hash the password with sha-256 I get invalid credentials.
>>>
>>
>> I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and
>> {SMD5}, {CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates
>> that hashed passwords are non-standard anyway. So implement the
>> non-standard on your clients.
>>
>
> It takes 5 seconds to look in the contrib directory shipped with the
> source and find:
>
> SHA-2 OpenLDAP support
> ----------------------
>
> slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
> SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
> instance, one could have the LDAP attribute:
>
> userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRC
> FpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
>
> or:
>
> userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7
> gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
>
> or:
>
> userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
>
> all of which encode the password 'secret'.
>
> (etc). As I already stated, there's a module for this. I use it on my
> systems to add SSHA512 suport.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
