Re: contrib modules to promote to mainline for 2.5?

2020-04-23 Thread Clément OUDOT


Le 23/04/2020 à 15:44, Michael Ströder a écrit :
> On 4/23/20 2:47 PM, Clément OUDOT wrote:
>> Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
>>> Are there any contrib modules that we should consider promoting to
>>> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
>>> options.
>> Maybe smbk5pwd module and autogroup overlay?
> Is smbk5pwd really useful today?
>
> I'm asking although I made use of it in former deployments.
>
> 1. Kerberos functionality does not work with MIT Kerberos.
>
> 2. AFAICS NTLM password hashes (WinNT domain) will stop working with
> newer Windows versions. At least that's what I understood on the Samba
> mailing lists. Also storing NT password hashes is a security nightmare.


It can be useful to maintain compatibility with old systems.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com


Re: contrib modules to promote to mainline for 2.5?

2020-04-23 Thread Michael Ströder
On 4/23/20 2:47 PM, Clément OUDOT wrote:
> 
> Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
>> Are there any contrib modules that we should consider promoting to
>> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
>> options.
> 
> Maybe smbk5pwd module and autogroup overlay?

Is smbk5pwd really useful today?

I'm asking although I made use of it in former deployments.

1. Kerberos functionality does not work with MIT Kerberos.

2. AFAICS NTLM password hashes (WinNT domain) will stop working with
newer Windows versions. At least that's what I understood on the Samba
mailing lists. Also storing NT password hashes is a security nightmare.

Ciao, Michael.


Re: contrib modules to promote to mainline for 2.5?

2020-04-23 Thread Clément OUDOT


Le 22/04/2020 à 18:15, Quanah Gibson-Mount a écrit :
> Are there any contrib modules that we should consider promoting to
> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
> options.
>
>

Maybe smbk5pwd module and autogroup overlay?

For autogroup overlay, it depends on the new features of dynlist overlay
(compatibility with memberOf for example)

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com


Re: contrib modules to promote to mainline for 2.5?

2020-04-23 Thread Ondřej Kuzník
On Wed, Apr 22, 2020 at 07:41:40PM +0200, Michael Ströder wrote:
> On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
>> Are there any contrib modules that we should consider promoting to
>> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
>> options.
> 
> +1 for pw-sha2 and pw-argon2.
> 
> FWIW:
> slapo-noopsrch and slapo-lastbind is what I use in almost every
> installation.

Might want to improve the core lastbind support to make that overlay
obsolete instead?

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Michael Ströder
On 4/22/20 8:57 PM, Quanah Gibson-Mount wrote:
> Ok.  I would note that the argon2 module adds a dependency on a 3rd
> party library, so we'd need to add detection for it?

If an automatic check is too much work I could live with a simple
configure option --enable-argon2 with a textual comment "needs
libsodium". The default could be --disable-argon2. So every downstream
package can easily switch it on.

Ciao, Michael.


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Michael Ströder
On 4/22/20 8:17 PM, Gavin Henry wrote:
> What's the recommended hash for UserPassword at the moment? 

Tough question.

In Æ-DIR's default config I'm using non-portable settings available on
mainstream Linux distros since a couple of years:

password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=2$%.16s"

I'm looking forward to get a strong portable hash algorithm.

Ciao, Michael.


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Michael Ströder
On 4/22/20 8:01 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
>>> Are there any contrib modules that we should consider promoting to
>>> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
>>> options.
>>
>> +1 for pw-sha2 and pw-argon2.
> 
> sha2 is already obsolete, for password purposes. I see no reason to promote 
> it.

Yes, SHA-2 is really weak. But moving pw-sha2 into mainline is *not*
promoting it.

I see some use when migrating from other LDAP servers.

Ciao, Michael.


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Quanah Gibson-Mount
--On Wednesday, April 22, 2020 1:04 PM -0700 Philip Guenther 
 wrote:



Is there a ticket tracking this where the open question(s) for which a
response is needed can be seen?  The obvious search of
https://bugs.openldap.org/buglist.cgi?quicksearch=bcrypt


There wouldn't be, as it requires the author to contribute it as noted in:



Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:



Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Quanah Gibson-Mount




--On Wednesday, April 22, 2020 8:01 PM +0100 Howard Chu  
wrote:



Michael Ströder wrote:

On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:

Are there any contrib modules that we should consider promoting to
mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
options.


+1 for pw-sha2 and pw-argon2.


sha2 is already obsolete, for password purposes. I see no reason to
promote it.


Ok.  I would note that the argon2 module adds a dependency on a 3rd party 
library, so we'd need to add detection for it?


That's one reason to keep pw-sha2.  It's still better than the default SSHA.

Or perhaps to get bcrypt added, if we can ever get a proper response from 
the author.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:



Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Gavin Henry
>
>
>
> >> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
> >> options.
> >
> > +1 for pw-sha2 and pw-argon2.
>
> sha2 is already obsolete, for password purposes. I see no reason to
> promote it.
> >
>

What's the recommended hash for UserPassword at the moment?

Thanks.

>


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Howard Chu
Michael Ströder wrote:
> On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
>> Are there any contrib modules that we should consider promoting to
>> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
>> options.
> 
> +1 for pw-sha2 and pw-argon2.

sha2 is already obsolete, for password purposes. I see no reason to promote it.
> 
> FWIW:
> slapo-noopsrch and slapo-lastbind is what I use in almost every
> installation.
> 
> Ciao, Michael.
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


Re: contrib modules to promote to mainline for 2.5?

2020-04-22 Thread Michael Ströder
On 4/22/20 6:15 PM, Quanah Gibson-Mount wrote:
> Are there any contrib modules that we should consider promoting to
> mainline for the 2.5 series?  I.e., sha2, argon2 seem like potential
> options.

+1 for pw-sha2 and pw-argon2.

FWIW:
slapo-noopsrch and slapo-lastbind is what I use in almost every
installation.

Ciao, Michael.