Home | History | Annotate | only in /src/external/bsd/openldap/dist/contrib/slapd-modules/passwd/pbkdf2
Up to higher level directory
NameDateSize
Makefile05-Sep-20251.5K
pw-pbkdf2.c05-Sep-202512.3K
README05-Sep-20252.5K
slapd-pw-pbkdf2.505-Sep-20252.8K

README

      1 PBKDF2 for OpenLDAP
      2 =======================
      3 
      4 pw-pbkdf2.c provides PBKDF2 key derivation functions in OpenLDAP.
      5 
      6 Schemes:
      7 
      8  * {PBKDF2} -  alias to {PBKDF2-SHA1}
      9  * {PBKDF2-SHA1}
     10  * {PBKDF2-SHA256}
     11  * {PBKDF2-SHA512}
     12 
     13 # Requirements
     14 
     15   * OpenSSL 1.0.0 or later
     16 
     17 # Installations
     18 
     19 First, You need to configure and build OpenLDAP.
     20 
     21     $ cd <OPENLDAP_BUILD_DIR>/contrib/slapd-modules/passwd/
     22     $ git clone https://github.com/hamano/openldap-pbkdf2.git
     23     $ cd openldap-pbkdf2/
     24     $ make
     25     # make install
     26 
     27 # Configuration
     28 
     29 In slapd.conf:
     30 
     31     moduleload pw-pbkdf2.so
     32 
     33 You can also tell OpenLDAP to use the schemes when processing LDAP
     34 Password Modify Extended Operations, thanks to the password-hash
     35 option in slapd.conf. For example:
     36 
     37     password-hash {PBKDF2}
     38 or
     39     password-hash {PBKDF2-SHA256}
     40 or
     41     password-hash {PBKDF2-SHA512}
     42 
     43 # Testing
     44 
     45 You can get hash to use slappasswd.
     46 
     47     $ slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
     48     {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
     49 
     50 A quick way to test whether it's working is to customize the rootdn and
     51 rootpw in slapd.conf, eg:
     52 
     53     rootdn "cn=Manager,dc=example,dc=com"
     54     rootpw {PBKDF2}60000$Y6ZHtTTbeUgpIbIW0QDmDA$j/aU7jFKUSbH4UobNQDm9OEIwuw
     55 
     56 Then to test, run something like:
     57 
     58     $ ldapsearch -x -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w secret
     59 
     60 # Debugging
     61 You can specify -DSLAPD_PBKDF2_DEBUG flag for debugging.
     62 
     63 # Message Format
     64 
     65     {PBKDF2}<Iteration>$<Adapted Base64 Salt>$<Adapted Base64 DK>
     66 
     67 # References
     68 
     69 * [RFC 2898 Password-Based Cryptography][^1]
     70 [^1]: http://tools.ietf.org/html/rfc2898
     71 
     72 * [PKCS #5 PBKDF2 Test Vectors][^2]
     73 [^2]: http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-06
     74 
     75 * [RFC 2307 Using LDAP as a Network Information Service][^3]
     76 [^3]: http://tools.ietf.org/html/rfc2307
     77 
     78 * [Python Passlib][^4]
     79 [^4]: http://pythonhosted.org/passlib/
     80 
     81 * [Adapted Base64 Encoding][^5]
     82 [^5]: http://pythonhosted.org/passlib/lib/passlib.utils.html#passlib.utils.ab64_encode
     83 
     84 # License
     85 This work is part of OpenLDAP Software <http://www.openldap.org/>.
     86 
     87 Copyright 2009-2024 The OpenLDAP Foundation.
     88 All rights reserved.
     89 
     90 Redistribution and use in source and binary forms, with or without
     91 modification, are permitted only as authorized by the OpenLDAP
     92 Public License.
     93 
     94 A copy of this license is available in the file LICENSE in the
     95 top-level directory of the distribution or, alternatively, at
     96 <http://www.OpenLDAP.org/license.html>.
     97 
     98 # ACKNOWLEDGEMENT
     99 This work was initially developed by HAMANO Tsukasa <hamano (a] osstech.co.jp>
    100