[RFC] BCrypt module installation

[kopax]

Hi everyone,

I would like to install some new crypting algorithm because we are not satisfy with the existing one.
So far we have found two interesting extension:

• https://github.com/hamano/openldap-pbkdf2
• https://github.com/wclarie/openldap-bcrypt

We decided to go for the 2nd one for internal reason. This is how we followed the tutorial :

FROM osixia/openldap:1.1.9

ARG BUILD_ENV
ENV BUILD_ENV=${BUILD_ENV:-"prod"}

ENV PREFIX=/opt
ENV OPENLDAP_INSTALL_DIR=${PREFIX}/ldap
ENV OPENLDAP_VERSION=2.4.45

# Temporary install deps
RUN apt-get update
RUN apt-get install -y wget build-essential git libtool libdb-dev groff groff-base

# Build tmp OpenLDAP
RUN mkdir -p ${PREFIX}
WORKDIR ${PREFIX}
RUN wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-${OPENLDAP_VERSION}.tgz
RUN tar xzf openldap-${OPENLDAP_VERSION}.tgz
RUN mv openldap-${OPENLDAP_VERSION} ldap
WORKDIR ${OPENLDAP_INSTALL_DIR}
RUN ./configure --prefix=${PREFIX} --enable-modules
RUN make depend
RUN make
RUN make install

# Build bcrypt OpenLDAP
RUN mkdir -p ${OPENLDAP_INSTALL_DIR}/contrib/slapd-modules/passwd
WORKDIR ${OPENLDAP_INSTALL_DIR}/contrib/slapd-modules/passwd
RUN git clone https://github.com/wclarie/openldap-bcrypt.git bcrypt
WORKDIR ${OPENLDAP_INSTALL_DIR}/contrib/slapd-modules/passwd/bcrypt
RUN make
RUN make install

# install BCrypt lib
RUN cp /usr/local/libexec/openldap/pw-bcrypt.so /usr/lib/ldap/pw-bcrypt.so

# Remove tmp OpenLDAP build
RUN rm -rf ${OPENLDAP_INSTALL_DIR}
RUN rm -rf /usr/local/libexec

# Remove installed deps
RUN apt-get remove -y wget build-essential git libtool libdb-dev groff groff-base
RUN apt-get autoclean && \
  rm -rf /var/lib/apt/lists/* && \
  rm -rf /usr/share/locale/* && \
  rm -rf /usr/share/man/* && \
  rm -rf /usr/share/doc/*

# Osixia/OpenLDAP extension
ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD environment/${BUILD_ENV} /container/environment/01-custom

WORKDIR /

I am looking for help to finish the configuration.

Their doc says to edit slapd.conf while osixia/docker-openldap says:

Do not edit slapd.conf it's not used. To modify your server configuration use ldap utils: ldapmodify / ldapadd / ldapdelete

First: is OpenLDAP configured with --enable-modules when installed through apt ? I guess yes but it is a requirement:

Dynamically loaded modules
These may only be used if the --enable-modules option was used to configure the software.

Source: https://www.openldap.org/doc/admin24/slapdconf2.html

Secondly, I have created a file bootstrap/custom/enable-bcrypt.ldif:

# Add bcrypt support
dn: cn=module{0},cn=config
changetype: add
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: /usr/lib/ldap/pw-bcrypt.so

There are two cases:

1. Apply BCrypt support on existing OpenLDAP database.
2. Apply BCrypt support on new OpenLDAP database installation.

Apply BCrypt support on existing OpenLDAP database.

Starting my server with the new enable-bcrypt.ldif file didn't seems to produce anything.
A bit of help would be appreciated to write the proper ldif file, I might have to do it through PHPLdapAdmin import to change the cn=config on the fly.

Apply BCrypt support on new OpenLDAP database installation.

I feel the enable-bcrypt.ldif file gets ignored, how do I verify that it worked ?

Does anyone have ever tried to implement a OpenLDAP crypting module ?

[kopax]

Solved out by placing it in /usr/lib/ldap/pw-bcrypt.so

[bashirdeen]

Hi @kopax can you please elaborate how did you resolve this issue.

I couldn't understand from your below comment:
"Solved out by placing it in /usr/lib/ldap/pw-bcrypt.so"

[howardlau1999]

Hi @kopax can you please elaborate how did you resolve this issue.

I couldn't understand from your below comment:
"Solved out by placing it in /usr/lib/ldap/pw-bcrypt.so"

You can refer to my solution: https://github.com/howardlau1999/openldap-bcrypt-docker/blob/master/Dockerfile
This works well for me