[Pkg-openldap-devel] Bug#746727: Bug#746727: slapd: Please include slapd-sha2 contrib module

Ryan Tandy ryan at nardis.ca
Mon May 5 02:16:57 UTC 2014 

severity 746727 wishlist
tags 746727 - upstream + confirmed pending
thanks

Hi Michael,

On 02/05/14 02:19 PM, Michael Przybylski wrote:
> I ran into a particularly vexing problem with OpenLDAP:
> I populated a user record with a SSHA-512 user password via Apache Directory
> Studio and could verify that the password was correct, but I always got an
> "invalid credentials" error when trying to bind with that dn and password.
> 
> As a workaround, I changed the userPassword fromat to SSHA, and was able to
> bind successfully.
> 
> Could you please build and include this module with the slapd package?
> https://github.com/gcp/openldap/tree/master/contrib/slapd-modules/passwd/sha2

Thanks for this suggestion. It was straightforward to add building and
installing this module to the package, and it seems to work properly,
f.ex. with olcPasswordHash set to a SHA2 hash. I've committed it to the
Git repository.

The implementation is Aaron Gifford's sha2.c, released under a BSD
license that is very similar to the OpenLDAP license. I think it should
be OK to use.

slappasswd(8) doesn't load additional modules by default, so to test
generating such a password by hand (f.ex. to use as olcRootPW) I had to
tell it to load the module:

  /usr/sbin/slappasswd -o module-load=pw-sha2 -h '{SSHA512}'

I wanted to check the behaviour when dealing with a malformed hash, so I
generated a hash with slappasswd(8) and copied it into olcRootPW, but
truncated it a couple of characters before the end. Then slapd(8)
crashed in SHA512_Transform (in sha2.c) when I tried to authenticate!

I performed the same exercise with a built-in hash (SSHA) and got
"Invalid credentials" instead of a crash. Obviously passwords set using
ldappasswd(1) wouldn't have that problem, but it makes me wonder whether
it contains other bugs. (Yes, I'll try to find time to fix this one soon.)

> Furthermore, would you please consider loading it by default when debconf
> builds a new slapd.d?

I personally think the default configuration should load only the
strictly needed modules, and wait for the administrator to add more. I'm
especially not enthusiastic about depending on code from contrib/ in the
default setup, because it doesn't receive as much attention from the
OpenLDAP maintainers as the core code does; see for example the crasher
I already found. So for those reasons I have not made that change. Maybe
another committer has a different opinion.

thanks,
Ryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: build-and-install-pwsha2.patch
Type: text/x-patch
Size: 3802 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20140504/22402c6b/attachment.bin>

More information about the Pkg-openldap-devel mailing list