NOTE: This module has already been merged into official repository. see contrib/slapd-modules/passwd/pbkdf2/ However module of official release does not support GNUTLS yet. Please use the repository for building with GNUTLS
pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
Schemes:
- {PBKDF2} - alias to {PBKDF2-SHA1}
- {PBKDF2-SHA1}
- {PBKDF2-SHA256}
- {PBKDF2-SHA512}
- OpenSSL 1.0.0 or later or
- Nettle 2.7.1 or later
First, You need to configure and build OpenLDAP with --enable-modules option.
$ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
$ git clone https://github.com/hamano/openldap-pbkdf2.git
$ cd openldap-pbkdf2/
$ make
# make install
In slapd.conf:
moduleload pw-pbkdf2.so
You can also tell OpenLDAP to use the schemes when processing LDAP Password Modify Extended Operations, thanks to the password-hash option in slapd.conf. For example:
password-hash {PBKDF2}
or
password-hash {PBKDF2-SHA256}
or
password-hash {PBKDF2-SHA512}
You can get hash to use slappasswd.
$ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$8muAzQL.wFBo0phhjcMveQ$ac91mnXD6sxQQWub2qwonD5Q.QE
A quick way to test whether it's working is to customize the rootdn and rootpw in slapd.conf, eg:
rootdn "cn=Manager,dc=example,dc=com"
rootpw {PBKDF2}10000$8muAzQL.wFBo0phhjcMveQ$ac91mnXD6sxQQWub2qwonD5Q.QE
Then to test, run something like:
$ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
{PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
#!/usr/bin/env python
from passlib.hash import ldap_pbkdf2_sha1
print(ldap_pbkdf2_sha1.encrypt("secret", rounds=10000))
- [RFC 2898 Password-Based Cryptography]1
- [PKCS #5 PBKDF2 Test Vectors]2
- [RFC 2307 Using LDAP as a Network Information Service]3
- [Python Passlib]4
- [Adapted Base64 Encoding]5
This work is part of OpenLDAP Software http://www.openldap.org/.
Copyright 2009-2013 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.
A copy of this license is available in the file LICENSE in the top-level directory of the distribution or, alternatively, at http://www.OpenLDAP.org/license.html.
This work was initially developed by HAMANO Tsukasa hamano@osstech.co.jp
Contributor:
- Luca Bruno(lucab)