Bug#955977: openldap: No manual page for module 'pw-argon2'

Sun Apr 5 18:15:13 BST 2020

Source: openldap
Version: 2.4.49+dfsg-3
Severity: normal
Tags: patch upstream

Hi,

the pw-argon2 password module, which was backported from upstream master,
lacks a manual page.

Please find attached patches to upstream to fix the issue not only for Debian
but for all OpenLDAP users.
(@Ryan: thanks for implementing some of the changes I proposed to upstream's ITS)

Thanks for working on OpenLDAP upstream and maintaining it in Debian
Peter

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
>From b32a42144df54e6872113fcf5ccb561ecad47878 Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter at adpm.de>
Date: Sun, 5 Apr 2020 14:20:57 +0200
Subject: [PATCH 1/2] contrib/passwd/argon2: add manual page

Add manual page slapd-pw-argon2.5 and make sure it gets installed.

Signed-off-by: Peter Marschall <peter at adpm.de>
---
 contrib/slapd-modules/passwd/argon2/Makefile  | 14 ++-
 .../passwd/argon2/slapd-pw-argon2.5           | 97 +++++++++++++++++++
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5

diff --git a/contrib/slapd-modules/passwd/argon2/Makefile b/contrib/slapd-modules/passwd/argon2/Makefile
index b35d7a36f..093bd8fb0 100644
--- a/contrib/slapd-modules/passwd/argon2/Makefile
+++ b/contrib/slapd-modules/passwd/argon2/Makefile
@@ -7,6 +7,7 @@ LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
 	$(LDAP_BUILD)/libraries/liblber/liblber.la
 
 LIBTOOL = $(LDAP_BUILD)/libtool
+INSTALL = /usr/bin/install
 CC = gcc
 OPT = -g -O2 -Wall
 #DEFS = -DSLAPD_ARGON2_DEBUG
@@ -27,6 +28,7 @@ $(error Unsupported implementation $(implementation))
 endif
 
 PROGRAMS = pw-argon2.la
+MANPAGES = slapd-pw-argon2.5
 LTVER = 0:0:0
 
 #prefix=/usr/local
@@ -38,6 +40,8 @@ ldap_subdir=/openldap
 libdir=$(exec_prefix)/lib
 libexecdir=$(exec_prefix)/libexec
 moduledir = $(libexecdir)$(ldap_subdir)
+mandir = $(exec_prefix)/share/man
+man5dir = $(mandir)/man5
 
 .SUFFIXES: .c .o .lo
 
@@ -53,8 +57,16 @@ pw-argon2.la: pw-argon2.lo
 clean:
 	rm -rf *.o *.lo *.la .libs
 
-install:	$(PROGRAMS)
+install: install-lib install-man FORCE
+
+install-lib: $(PROGRAMS)
 	mkdir -p $(DESTDIR)$(moduledir)
 	for p in $(PROGRAMS) ; do \
 		$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
 	done
+
+install-man: $(MANPAGES)
+	mkdir -p  $(DESTDIR)$(man5dir)
+	$(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
+
+FORCE:
diff --git a/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
new file mode 100644
index 000000000..a8b6a8022
--- /dev/null
+++ b/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5
@@ -0,0 +1,97 @@
+.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2020 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapd-pw-argon2 \- Argon2 password module to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.RS
+.LP
+.B moduleload
+.B pw-argon2
+.RE
+.SH DESCRIPTION
+.LP
+The
+.B pw-argon2
+module to
+.BR slapd (8)
+provides support for the use of the key derivation function Argon2,
+that was selected as the winner of the Password Hashing Competition in July 2015,
+in hashed passwords in OpenLDAP.
+.LP
+It does so by providing the additional password scheme 
+.B {ARGON2}
+for use in slapd.
+
+.SH CONFIGURATION
+The
+.B pw-argon2
+module does not need any configuration.
+.LP
+After loading the module, the password scheme
+.B {ARGON2}
+will be recognised in values of the
+.I userPassword
+attribute.
+.LP
+You can then instruct OpenLDAP to use this scheme when processing
+the LDAPv3 Password Modify (RFC 3062) extended operations by using the
+.BR password-hash
+option in
+.BR slapd.conf (5):
+.RS
+.LP
+.BR password-hash	{ARGON2}
+.RE
+.LP
+
+.SS NOTES
+If you want to use the scheme described here with
+.BR slappasswd (8),
+remember to load the module using its command line options.
+The relevant option/value is:
+.RS
+.LP
+.B \-o
+.BR module\-load = pw-argon2
+.LP
+.RE
+Depending on
+.BR pw-argon2 's
+location, you may also need:
+.RS
+.LP
+.B \-o
+.BR module\-path = \fIpathspec\fP
+.RE
+
+.SH EXAMPLES
+Both userPassword LDAP attributes below encode the password
+.RI ' secret '
+using different salts:
+.EX
+.LP
+userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
+.LP
+userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
+.EE
+
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR ldappasswd (1),
+.BR slappasswd (8),
+.BR ldap (3),
+.LP
+"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
+.LP
+
+.SH ACKNOWLEDGEMENTS
+This manual page has been written by Peter Marschall based on the
+module's README file written by Simon Levermann <simon at levermann.de>
+.LP
+.B OpenLDAP
+is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
+.B OpenLDAP
+is derived from University of Michigan LDAP 3.3 Release.
-- 
2.25.1

-------------- next part --------------
>From 8e4b1e07d6de8a6f743c7b322950a9d484b945da Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter at adpm.de>
Date: Sun, 5 Apr 2020 16:31:25 +0200
Subject: [PATCH 2/2] contrib/passwd/argon2: update README to changed module
 name

Change all occurrences of 'slapd-argon2' to 'slapd-pw-argon2'

Signed-off-by: Peter Marschall <peter at adpm.de>
---
 contrib/slapd-modules/passwd/argon2/README | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/contrib/slapd-modules/passwd/argon2/README b/contrib/slapd-modules/passwd/argon2/README
index 656df8f72..c7aa3652f 100644
--- a/contrib/slapd-modules/passwd/argon2/README
+++ b/contrib/slapd-modules/passwd/argon2/README
@@ -1,7 +1,7 @@
 Argon2 OpenLDAP support
 ----------------------
 
-slapd-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
+slapd-pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For
 instance, one could have the LDAP attribute:
 
 userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
@@ -22,13 +22,13 @@ For initial testing you might also want to edit DEFS to define
 SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on
 in production, as it prints passwords in cleartext).
 
-2) Run 'make' to produce slapd-argon2.so
+2) Run 'make' to produce slapd-pw-argon2.so
 
-3) Copy slapd-argon2.so somewhere permanent.
+3) Copy slapd-pw-argon2.so somewhere permanent.
 
 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add:
 
-moduleload ...path/to/slapd-argon2.so
+moduleload ...path/to/slapd-pw-argon2.so
 
 5) Restart slapd.
 
-- 
2.25.1

