severity 746727 wishlist
tags 746727 - upstream + confirmed pending
thanks
Hi Michael,
On 02/05/14 02:19 PM, Michael Przybylski wrote:
> I ran into a particularly vexing problem with OpenLDAP:
> I populated a user record with a SSHA-512 user password via Apache Directory
> Studio and could verify that the password was correct, but I always got an
> "invalid credentials" error when trying to bind with that dn and password.
>
> As a workaround, I changed the userPassword fromat to SSHA, and was able to
> bind successfully.
>
> Could you please build and include this module with the slapd package?
> https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2
Thanks for this suggestion. It was straightforward to add building and
installing this module to the package, and it seems to work properly,
f.ex. with olcPasswordHash set to a SHA2 hash. I've committed it to the
Git repository.
The implementation is Aaron Gifford's sha2.c, released under a BSD
license that is very similar to the OpenLDAP license. I think it should
be OK to use.
slappasswd(8) doesn't load additional modules by default, so to test
generating such a password by hand (f.ex. to use as olcRootPW) I had to
tell it to load the module:
/usr/sbin/slappasswd -o module-load=pw-sha2 -h '{SSHA512}'
I wanted to check the behaviour when dealing with a malformed hash, so I
generated a hash with slappasswd(8) and copied it into olcRootPW, but
truncated it a couple of characters before the end. Then slapd(8)
crashed in SHA512_Transform (in sha2.c) when I tried to authenticate!
I performed the same exercise with a built-in hash (SSHA) and got
"Invalid credentials" instead of a crash. Obviously passwords set using
ldappasswd(1) wouldn't have that problem, but it makes me wonder whether
it contains other bugs. (Yes, I'll try to find time to fix this one soon.)
> Furthermore, would you please consider loading it by default when debconf
> builds a new slapd.d?
I personally think the default configuration should load only the
strictly needed modules, and wait for the administrator to add more. I'm
especially not enthusiastic about depending on code from contrib/ in the
default setup, because it doesn't receive as much attention from the
OpenLDAP maintainers as the core code does; see for example the crasher
I already found. So for those reasons I have not made that change. Maybe
another committer has a different opinion.
thanks,
Ryan
commit 4207c36b7d83456ba51d2ab487365ee039cf3fd3
Author: Ryan Tandy <r...@nardis.ca>
Date: Sun May 4 15:13:18 2014 -0700
build and install pw-sha2 contrib module (#746727)
diff --git a/debian/changelog b/debian/changelog
index cec3599..9ea1589 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ openldap (2.4.39-2) UNRELEASED; urgency=low
- Don't silently ignore nonexistent directories that should be dumped.
- Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
symlink. (Closes: #742862)
+ * debian/rules, debian/patches/pw-sha2-makefile: Build and install the sha2
+ password module. (Closes: #746727)
[ Jelmer Vernooij ]
* Depend on heimdal-multidev rather than heimdal-dev.
diff --git a/debian/patches/pw-sha2-makefile b/debian/patches/pw-sha2-makefile
new file mode 100644
index 0000000..6603c68
--- /dev/null
+++ b/debian/patches/pw-sha2-makefile
@@ -0,0 +1,44 @@
+--- a/contrib/slapd-modules/passwd/sha2/Makefile
++++ b/contrib/slapd-modules/passwd/sha2/Makefile
+@@ -2,11 +2,11 @@
+
+ LDAP_SRC = ../../../..
+ LDAP_BUILD = ../../../..
+-LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+-LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
+- $(LDAP_BUILD)/libraries/liblber/liblber.la
++LDAP_INC = -I$(LDAP_BUILD)/debian/build/include -I$(LDAP_BUILD)/debian/build/servers/slapd -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
++LDAP_LIB = $(LDAP_BUILD)/debian/build/libraries/libldap_r/libldap_r.la \
++ $(LDAP_BUILD)/debian/build/libraries/liblber/liblber.la
+
+-LIBTOOL = $(LDAP_BUILD)/libtool
++LIBTOOL = $(LDAP_BUILD)/debian/build/libtool
+ CC = gcc
+ OPT = -g -O2 -Wall
+ DEFS =
+@@ -17,13 +17,13 @@
+ PROGRAMS = pw-sha2.la
+ LTVER = 0:0:0
+
+-prefix=/usr/local
++prefix=/usr
+ exec_prefix=$(prefix)
+-ldap_subdir=/openldap
++ldap_subdir=/ldap
+
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+-moduledir = $(libexecdir)$(ldap_subdir)
++moduledir = $(libdir)$(ldap_subdir)
+
+ .SUFFIXES: .c .o .lo
+
+@@ -37,7 +37,7 @@
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+- rm -rf *.o *.lo *.la .libs
++ $(LIBTOOL) --mode=clean rm -f
+
+ install: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
diff --git a/debian/patches/series b/debian/patches/series
index aa9f65a..2239b82 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@ switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
no-bdb-ABI-second-guessing
heimdal-fix
0001-ITS-7723-fix-reference-counting.patch
+pw-sha2-makefile
diff --git a/debian/rules b/debian/rules
index 3cc14a9..d0c8d44 100755
--- a/debian/rules
+++ b/debian/rules
@@ -89,11 +89,13 @@ override_dh_auto_build:
dh_auto_build -- $(MAKEVARS)
$(MAKE) -C contrib/slapd-modules/smbk5pwd
$(MAKE) -C contrib/slapd-modules/autogroup
+ $(MAKE) -C contrib/slapd-modules/passwd/sha2
override_dh_auto_install:
dh_auto_install -- $(MAKEVARS)
$(MAKE) -C contrib/slapd-modules/smbk5pwd install DESTDIR=$(installdir)
$(MAKE) -C contrib/slapd-modules/autogroup install DESTDIR=$(installdir)
+ $(MAKE) -C contrib/slapd-modules/passwd/sha2 install DESTDIR=$(installdir)
# Empty the dependency_libs file in the .la files.
for F in $(installdir)/usr/lib/ldap/*.la; do \
@@ -181,3 +183,9 @@ override_dh_auto_clean:
contrib/slapd-modules/autogroup/autogroup.lo \
contrib/slapd-modules/autogroup/autogroup.la \
contrib/slapd-modules/autogroup/autogroup.o
+ rm -rf contrib/slapd-modules/passwd/sha2/.libs \
+ contrib/slapd-modules/passwd/sha2/pw-sha2.la \
+ contrib/slapd-modules/passwd/sha2/sha2.lo \
+ contrib/slapd-modules/passwd/sha2/sha2.o \
+ contrib/slapd-modules/passwd/sha2/slapd-sha2.lo \
+ contrib/slapd-modules/passwd/sha2/slapd-sha2.o
