Logged in as guest
Viewing Contrib/7278 Full headers
Major security issue: yes no
Notes: added in master added in RE24 Notification:
Date: Thu, 24 May 2012 01:32:33 +0000 From: fumiyas@osstech.co.jp To: openldap-its@OpenLDAP.org Subject: [PATCH] SHA-2: Add support salted SHA-2 password hashes
Full_Name: SATOH Fumiyasu Version: master OS: URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch Submission from: (NULL) (220.100.28.128) This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes to slapd-sha2 module. This patch depends on ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch (http://www.openldap.org/its/index.cgi?findid=7269).
Date: Thu, 24 May 2012 20:01:38 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: fumiyas@osstech.co.jp CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms080105030301050607030109 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable fumiyas@osstech.co.jp wrote: > Full_Name: SATOH Fumiyasu > Version: master > OS:=20 > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.p= atch > Submission from: (NULL) (220.100.28.128) >=20 >=20 > This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes= > to slapd-sha2 module. >=20 > This patch depends on > ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch > (http://www.openldap.org/its/index.cgi?findid=3D7269). I've not tested the patch yet. But I'd appreciate if SHA-2 support would = be available in the main source and not only under contrib/. Any objections against extending libraries/liblutil/passwd.c? Ciao, Michael. --------------ms080105030301050607030109 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyNDE4MDEzOFowIwYJKoZIhvcNAQkEMRYE FBBgedro2DSLuBwkyOrjr9ML7MbLMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAV8R0Hvk9iikbkpo4qm7yXeMwCsMbrDGhTWapYclEgt0tOJNJ945Zejk4slxyhECYfRDf 0BSn5GX8RKSzas408ybxgWfCeviPhHZhjB5+akya8OcFmyQ/eoGHFeK0uZNlG2PPs42dNgf9 Zi6P0vrfF/L+Nn9PsurDrKIkV5HOMwbm7tAJdpfkOVsmW1S50Wx18PjgjSs2DujKh8HYq211 BsdE19cU3IfMZPOdVW+GTSZmpJdzr4Zl8H9jtoyNiH4JHoSqI2eXlIQGqP+2x2Koj6F/il0r BXIxhEMN88wcp0QhX2TERg32wqKhLUK2kns2n75NyKEFh1sbo5v+SAQndQAAAAAAAA== --------------ms080105030301050607030109--
Date: Tue, 29 May 2012 14:49:18 +0900 From: SATOH Fumiyasu <fumiyas@osstech.co.jp> To: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Thu, 24 May 2012 01:32:33 GMT, fumiyas@OSSTech wrote: > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. Sorry. > This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes > to slapd-sha2 module. > > This patch depends on > ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch > (http://www.openldap.org/its/index.cgi?findid=7269). -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Date: Tue, 29 May 2012 17:12:01 +0900 From: SATOH Fumiyasu <fumiyas@osstech.co.jp> To: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Tue, 29 May 2012 05:49:52 GMT, fumiyas@OSSTech wrote: > > URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch > > In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. > Sorry. FYI. [PATCH] slappasswd: Read slapd.conf to load dynamic password hash modules https://gist.github.com/2632560 It is a problem that a slappasswd user must have read privilage on slapd.conf (or slapd.d) by this patch... > > This patch adds support {SSHA256}, {SSHA384} and {SSHA512} hash schemes > > to slapd-sha2 module. > > > > This patch depends on > > ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-multithread.patch > > (http://www.openldap.org/its/index.cgi?findid=7269). -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Date: Tue, 29 May 2012 09:07:32 -0700 From: Howard Chu <hyc@symas.com> To: fumiyas@osstech.co.jp CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
fumiyas@osstech.co.jp wrote: > At Tue, 29 May 2012 05:49:52 GMT, > fumiyas@OSSTech wrote: >>> URL: ftp://ftp.openldap.org/incoming/openldap-2.4.31-sha2-salted-hash.patch >> >> In patched slapd-sha2.c, "#define SLAPD_SHA2_DEBUG" must be removed. >> Sorry. > > FYI. > > [PATCH] slappasswd: Read slapd.conf to load dynamic password hash modules > https://gist.github.com/2632560 > > It is a problem that a slappasswd user must have read privilage > on slapd.conf (or slapd.d) by this patch... slappasswd is an administrative command; if you don't have administrator access already you have no business running it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 09:16:58 -0700 From: Quanah Gibson-Mount <quanah@zimbra.com> To: hyc@symas.com, openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
--On Tuesday, May 29, 2012 4:08 PM +0000 hyc@symas.com wrote: >> It is a problem that a slappasswd user must have read privilage >> on slapd.conf (or slapd.d) by this patch... > > slappasswd is an administrative command; if you don't have administrator > access already you have no business running it. What in any way makes it administrative? You simply give it a password to convert into whatever scheme for you. Where is the administrative requirement? Why shouldn't X user with some particular permissions into the database, but not the configuration, be able to run it to generate a value? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Date: Tue, 29 May 2012 18:46:38 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: quanah@zimbra.com CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms010700080803040702000401 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable quanah@zimbra.com wrote: > --On Tuesday, May 29, 2012 4:08 PM +0000 hyc@symas.com wrote: >=20 >>> It is a problem that a slappasswd user must have read privilage >>> on slapd.conf (or slapd.d) by this patch... >> >> slappasswd is an administrative command; if you don't have administrat= or >> access already you have no business running it. >=20 > What in any way makes it administrative? You simply give it a password= to=20 > convert into whatever scheme for you. Where is the administrative=20 > requirement? Why shouldn't X user with some particular permissions int= o=20 > the database, but not the configuration, be able to run it to generate = a=20 > value? I concur with Quanah: I know many operational procedures where slappasswd= is just used to generate pre-hashed userPassword values. This usage is suppo= rted by DESCRIPTION in slappasswd(8). I also don't see a requirement for administrative access to slapd's config at all. Doesn't this ask for fully integrating SHA-2 password support into libraries/liblutil/passwd.c? Ciao, Michael. --------------ms010700080803040702000401 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyOTE2NDYzOFowIwYJKoZIhvcNAQkEMRYE FE1pvmOeFeNxFwX+H8VmVvMDK6OWMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAG+NichvhG0i4Tb18NExkCpBoGmzkaf3J/WSiwU5y01mEOEct8YvtixC3EdVlpVfKYOLb pKDGt2W6yNZySAEkQqZlWffWaYou3aJF5t/DjykuqpvBR0wNO1casY8OGAHMX1g0RicGIS12 30Ulk8vJTYQy3hMovlfztgHaEE7yI8Acem9ccJAuFoXbTCyDC47HcDf/pL4en6WGyMkyruhR 0vULseO+OUQ+LY+ic4C8qPXAtSnDrCPmUaOcns7Nz2cuZFgPe7dVt4NcXpsKXihy+PIag+Tz iiskIJ7u4iQaPFW2QBDZrmpa8UPCaWOy6KjtDDF8TNj5LwewODIJZ03kMAAAAAAAAA== --------------ms010700080803040702000401--
Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes From: Kurt Zeilenga <Kurt@OpenLDAP.org> Date: Tue, 29 May 2012 10:25:50 -0700 Cc: openldap-its@OpenLDAP.org To: quanah@zimbra.com
I'd argue that slappassword shouldn't read the configuration and hence not support 'contributed' hash mechanisms. But if you are going to make slappassword read the configuration, then it needs to be restricted to only users who have read access to the configuration. I have no real opinion about whether SHA-2 should or shouldn't be in the core set of hashes... but personally I rather push folks towards SCRAM compatible hashes than the same poor usages of newer hash algorithms. -- Kurt
Date: Tue, 29 May 2012 19:38:28 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Kurt@OpenLDAP.org CC: openldap-its@OpenLDAP.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Kurt@OpenLDAP.org wrote: > I'd argue that slappassword shouldn't read the configuration and hence not > support 'contributed' hash mechanisms. Which means if SHA-2 stays in a separate overlay contrib/ there won't be practically usable SHA-2 support in OpenLDAP. I consider it falling behind other LDAP server implementations. > But if you are going to make slappassword read the configuration, then it > needs to be restricted to only users who have read access to the > configuration. Yes. > I have no real opinion about whether SHA-2 should or shouldn't be in the > core set of hashes... but personally I rather push folks towards SCRAM > compatible hashes than the same poor usages of newer hash algorithms. I concur that SCRAM would be the best choice. But IMO adding SHA-2 support to the core does not hold anybody back from developing/deploying SCRAM. In reality getting completely rid of simple bind in favour of SASL bind no matter which SASL mech is nothing done so easily with all the applications out in the wild. And last time I checked SCRAM support in cyrus-sasl required clear-text password in userPassword. So this is outside the OpenLDAP project, isn't it? Ciao, Michael.
Date: Tue, 29 May 2012 10:39:13 -0700 From: Howard Chu <hyc@symas.com> To: michael@stroeder.com CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
michael@stroeder.com wrote: > Doesn't this ask for fully integrating SHA-2 password support into > libraries/liblutil/passwd.c? Clearly you haven't thought this through. No, because that doesn't solve the problem of how to use other contrib passwd modules. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 10:43:04 -0700 From: Howard Chu <hyc@symas.com> To: Quanah Gibson-Mount <quanah@zimbra.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Quanah Gibson-Mount wrote: > --On Tuesday, May 29, 2012 4:08 PM +0000 hyc@symas.com wrote: > >>> It is a problem that a slappasswd user must have read privilage >>> on slapd.conf (or slapd.d) by this patch... >> >> slappasswd is an administrative command; if you don't have administrator >> access already you have no business running it. > > What in any way makes it administrative? You simply give it a password to > convert into whatever scheme for you. Where is the administrative > requirement? Why shouldn't X user with some particular permissions into > the database, but not the configuration, be able to run it to generate a > value? slap*(8) are all administrative tools, by definition. You should already know that. Why should X user ever need to run this tool to generate a value? slapd generates users' password values automatically. The only time anyone ever *needs* this tool is for setting a rootpw in the slapd config. That's the only reason this tool exists and it is the only valid use case. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 19:45:19 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Howard Chu <hyc@symas.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Howard Chu wrote: > michael@stroeder.com wrote: >> Doesn't this ask for fully integrating SHA-2 password support into >> libraries/liblutil/passwd.c? > > Clearly you haven't thought this through. Maybe. But one question: Why is SHA-1 in the core and SHA-2 isn't? IMO that's just an arbitrary choice. > No, because that doesn't solve the problem of how to use other contrib passwd > modules. If you come up with another overall solution to avoid reading the config when using slappasswd I'm of course fine with that too. Ciao, Michael.
Date: Tue, 29 May 2012 19:49:15 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: hyc@symas.com CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
hyc@symas.com wrote: > Why should X user ever need to run this tool to generate a value? From slappasswd(8): DESCRIPTION Slappasswd is used to generate an userPassword value suitable for use with ldapmodify(1), slapd.conf(5) rootpw configuration directive or the slapd-config(5) olcRootPW configuration directive. Do you want to restrict this text regarding ldapmodify(1) only for the cases that the slappasswd user has also write access to back-config? Of course your are the OpenLDAP boss. You can change everything to make it work for you. But it breaks existing operational procedures for other people. Ciao, Michael.
Date: Tue, 29 May 2012 11:01:49 -0700 From: Quanah Gibson-Mount <quanah@zimbra.com> To: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
--On Tuesday, May 29, 2012 5:49 PM +0000 michael@stroeder.com wrote: > hyc@symas.com wrote: >> Why should X user ever need to run this tool to generate a value? > > From slappasswd(8): > > DESCRIPTION > Slappasswd is used to generate an userPassword value suitable > for use with ldapmodify(1), slapd.conf(5) rootpw configuration > directive or the slapd-config(5) olcRootPW configuration directive. > > Do you want to restrict this text regarding ldapmodify(1) only for the > cases that the slappasswd user has also write access to back-config? The tool has allowed the ability to generate password values for years. It is not uncommon to use it to do just that. I've often used it to generate base-64 encoded SSHA values to push into LDIF I will be writing to the server via ldapmodify. That should not require access to cn=config/slapd.conf. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Date: Tue, 29 May 2012 11:04:23 -0700 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Michael Str.der wrote: > hyc@symas.com wrote: >> Why should X user ever need to run this tool to generate a value? > >>From slappasswd(8): > > DESCRIPTION > Slappasswd is used to generate an userPassword value suitable > for use with ldapmodify(1), slapd.conf(5) rootpw configuration > directive or the slapd-config(5) olcRootPW configuration directive. > > Do you want to restrict this text regarding ldapmodify(1) only for the cases > that the slappasswd user has also write access to back-config? We could probably delete that ldapmodify(1) reference. Technically it has always been wrong, since there's never been any guarantee that an LDAP user's password was ever stored in any user-accessible attribute. > Of course your are the OpenLDAP boss. You can change everything to make it > work for you. But it breaks existing operational procedures for other people. The text also states The practice of storing hashed passwords in userPassword violates Standard Track (RFC 4519) schema specifications and may hinder interoperability. Anyone building operational procedures on something that violates the specs was asking for trouble. Users should be using ldappasswd, that's what it's for. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 20:11:21 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Howard Chu <hyc@symas.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms050402080405010103060108 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Howard Chu wrote: > The text also states > The practice of storing hashed passwords in userPassword violates > Standard Track (RFC 4519) schema specifications and may hinder > interoperability. In practice we all live very well with this for years. That's least of a problem today. > Anyone building operational procedures on something that violates the s= pecs > was asking for trouble. Users should be using ldappasswd, that's what i= t's for. ??? ldappasswd writes a hashed password to - tataa - attribute 'userPassword'= =2E I cannot see how this is different from using ldapadd/ldapmodify. So what are you really trying to say? Ciao, Michael. --------------ms050402080405010103060108 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyOTE4MTEyMVowIwYJKoZIhvcNAQkEMRYE FMxpg47lo/Kju6s3IV/LCMAeyzViMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAPDeuZINq0dhCIixcpzDn15b8usj8fAjOx/IOUdH3GEfMwNcC7Qi4lEDwuT1hvriqLT9x RTO4CcPCm5GZ2A8MWqayf+oRZtfZmU6ueLNPS08D4fMIkdU5DScFGmSFajm/qVfP8V4iwWur xn4xtYjEXY6SqD2vZK0rYGrr9KS72pNunNEXzUkI6SmGVDp5Q9463FkoBQj9DFYrLSe5iBPO CVNZlHsnTfWvW3Cm4SP7x2VFoqpT6snisrYWv3hcJjSinsBCEnW+qwAcuCpuByMWA/hFr9vj OBz3Y1W7obMI6DUxdBq4ECdDWTDoqLsCfEJGLeoq1oQ9n5r2UNDSPnPJ9QAAAAAAAA== --------------ms050402080405010103060108--
Date: Tue, 29 May 2012 11:43:09 -0700 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Michael Str.der wrote: > Howard Chu wrote: >> The text also states >> The practice of storing hashed passwords in userPassword violates >> Standard Track (RFC 4519) schema specifications and may hinder >> interoperability. > > In practice we all live very well with this for years. That's least of a > problem today. > >> Anyone building operational procedures on something that violates the specs >> was asking for trouble. Users should be using ldappasswd, that's what it's for. > > ??? > > ldappasswd writes a hashed password to - tataa - attribute 'userPassword'. > I cannot see how this is different from using ldapadd/ldapmodify. Wrong, ldappasswd sends a PasswordModify exop to a server. The server may implement that exop in any implementation-specific manner, and there is no guarantee that the password a server uses is ever instantiated in any LDAP entry. There is no guarantee that setting a userPassword attribute using ldapadd/ldapmodify will ever do anything useful for any given LDAP user. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 22:38:17 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: hyc@symas.com CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
hyc@symas.com wrote: > Michael Str.der wrote: >> Howard Chu wrote: >>> The text also states >>> The practice of storing hashed passwords in userPassword violates >>> Standard Track (RFC 4519) schema specifications and may hinder >>> interoperability. >> >> In practice we all live very well with this for years. That's least of a >> problem today. >> >>> Anyone building operational procedures on something that violates the specs >>> was asking for trouble. Users should be using ldappasswd, that's what it's for. >> >> ??? >> >> ldappasswd writes a hashed password to - tataa - attribute 'userPassword'. >> I cannot see how this is different from using ldapadd/ldapmodify. > > Wrong, ldappasswd sends a PasswordModify exop to a server. The server may > implement that exop in any implementation-specific manner, and there is no > guarantee that the password a server uses is ever instantiated in any LDAP > entry. There is no guarantee that setting a userPassword attribute using > ldapadd/ldapmodify will ever do anything useful for any given LDAP user. You're arguing based on what a LDAP server could do. I'm arguing based on what OpenLDAP and other server implementations are doing for years. None of what you said in this thread is a real argument against adding SHA-2 hash algos to the core. Still you did not answer why SHA-1 is in and SHA-2 is out. Well, you're the OpenLDAP god. So you can arbitrarly decide whatever you want. (But you shouldn't wonder why there's no active OpenLDAP community.) Ciao, Michael.
Date: Tue, 29 May 2012 13:56:27 -0700 From: Howard Chu <hyc@symas.com> To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Michael Str.der wrote: > hyc@symas.com wrote: >> Michael Str.der wrote: >>> Howard Chu wrote: >>>> The text also states >>>> The practice of storing hashed passwords in userPassword violates >>>> Standard Track (RFC 4519) schema specifications and may hinder >>>> interoperability. >>> >>> In practice we all live very well with this for years. That's least of a >>> problem today. >>> >>>> Anyone building operational procedures on something that violates the specs >>>> was asking for trouble. Users should be using ldappasswd, that's what it's for. >>> >>> ??? >>> >>> ldappasswd writes a hashed password to - tataa - attribute 'userPassword'. >>> I cannot see how this is different from using ldapadd/ldapmodify. >> >> Wrong, ldappasswd sends a PasswordModify exop to a server. The server may >> implement that exop in any implementation-specific manner, and there is no >> guarantee that the password a server uses is ever instantiated in any LDAP >> entry. There is no guarantee that setting a userPassword attribute using >> ldapadd/ldapmodify will ever do anything useful for any given LDAP user. > > You're arguing based on what a LDAP server could do. I'm arguing based on what > OpenLDAP and other server implementations are doing for years. ActiveDirectory is an obvious example invalidating your argument. > None of what you said in this thread is a real argument against adding SHA-2 > hash algos to the core. Still you did not answer why SHA-1 is in and SHA-2 is out. At present there is no need to change anything in the core since SHA-2 support can be dynamically loaded. Don't fix what isn't broken. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 29 May 2012 14:02:11 -0700 From: Quanah Gibson-Mount <quanah@zimbra.com> To: michael@stroeder.com, openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
--On Tuesday, May 29, 2012 8:38 PM +0000 michael@stroeder.com wrote: > Well, you're the OpenLDAP god. So you can arbitrarly decide whatever you > want. (But you shouldn't wonder why there's no active OpenLDAP community.) Comments like this weaken any point you are trying to make, serve no purpose, and are obnoxious. Your emails would be better served without them. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Date: Tue, 29 May 2012 23:15:47 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: Howard Chu <hyc@symas.com> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms000604020701070406090000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Howard Chu wrote: > Michael Str=F6der wrote: >> hyc@symas.com wrote: >>> Michael Str=F6der wrote: >>>> Howard Chu wrote: >>>>> The text also states >>>>> The practice of storing hashed passwords in userPassword viol= ates >>>>> Standard Track (RFC 4519) schema specifications and may hinde= r >>>>> interoperability. >>>> >>>> In practice we all live very well with this for years. That's least = of a >>>> problem today. >>>> >>>>> Anyone building operational procedures on something that violates t= he specs >>>>> was asking for trouble. Users should be using ldappasswd, that's wh= at >>>>> it's for. >>>> >>>> ??? >>>> >>>> ldappasswd writes a hashed password to - tataa - attribute 'userPass= word'. >>>> I cannot see how this is different from using ldapadd/ldapmodify. >>> >>> Wrong, ldappasswd sends a PasswordModify exop to a server. The server= may >>> implement that exop in any implementation-specific manner, and there = is no >>> guarantee that the password a server uses is ever instantiated in any= LDAP >>> entry. There is no guarantee that setting a userPassword attribute us= ing >>> ldapadd/ldapmodify will ever do anything useful for any given LDAP us= er. >> >> You're arguing based on what a LDAP server could do. I'm arguing based= on what >> OpenLDAP and other server implementations are doing for years. >=20 > ActiveDirectory is an obvious example invalidating your argument. Does MS AD support RFC 3062? AFAIK W2K3 doesn't. I don't currently have the possibility to check with most recent W2K8R2 t= hough. Anyway that's not relevant here either. We're talking about how OpenLDAP stores and checks the passwords since over a decade. Violating Standard Track (RFC 4519) schema specifications could be avoide= d by implementing RFC 3112. But this also never happened. > Don't fix what isn't broken. With this argument you can immediately stop any progress. Maybe also a valuable statement by the OpenLDAP chief architect. Ciao, Michael. --------------ms000604020701070406090000 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUyOTIxMTU0N1owIwYJKoZIhvcNAQkEMRYE FPftjo2JfwDdzUByvPPFBJpEMBd4MF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIA
Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes From: Kurt Zeilenga <Kurt@OpenLDAP.org> Date: Wed, 30 May 2012 06:45:26 -0700 Cc: openldap-its@OpenLDAP.org To: michael@stroeder.com
On May 29, 2012, at 1:38 PM, michael@stroeder.com wrote: > Still you did not answer why SHA-1 is in and SHA-2 is out. Well, the general rule is simply all new hash schemes should go in contrib first. What you ask is for an exception to this general rule for SHA-2. I don't see the arguments for the exception being all that strong. Arguing it should be "in" because SHA-1 is "in" is a really poor argument. SHA-1 is "in" because it was grandfathered in. SHA-2, like any new hash scheme, is "out" because of the current practice to put new schemes in contrib. It's as simple as that, I think. I do note that there's many issues bring hashes into core. One key one is that core schemes ought to work with minimal 3rd party libraries, and that means without OpenSSL. So bringing these schemes also means, if we hold to this, bring in a SHA2 implementation into core... and that's gets, well, more involved. And that's one of reasons we have the core/contrib split. Anyways, I personally think no exception should be granted, these schemes should go into contrib like any other new hash scheme would. I've thought a bit about whether slappasswd should or should not load modules. I stand against slapppasswd reading slapd configuration by default. I would not object to reading slapd configuration when specifically requested by the user (by a command line argument). I generally run slappasswd (for setup purposes) as a user which has no access to slapd configuration. This not only for convenience, but for security reasons (limit programs which can read the configuration, as the configuration contains sensitive information). While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes. -- Kurt
Date: Thu, 31 May 2012 02:05:33 +0900 From: SATOH Fumiyasu <fumiyas@osstech.co.jp> To: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Hi, I wish the following command-line option for slappasswd to load dynamically loadable password hash modules: $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' ... $ slappasswd -o module-path=/path/to/lib/openldap \ -o module-load=slapd-sha2.la -h '{SSHA512}' ... At Wed, 30 May 2012 13:45:48 GMT, Kurt@OpenLDAP.org wrote: > While if I needed some scheme only in contrib I might resort to other means to generate the hash (such as a little perl), I don't object to slappasswd, when requested by option, reading the configuration, loading the modules, and generating the hash. I would only object if slappasswd did this by default, as that would cause me to have to use other means even for core schemes. I've revised the patch: https://gist.github.com/2632560 With this patch: $ slappasswd Same as the original behavior (do not read any config) $ slappasswd -f /path/to/slapd.conf Read the specified slapd.conf $ slappasswd -f - Read the default slapd.conf -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes From: Kurt Zeilenga <Kurt@OpenLDAP.org> Date: Wed, 30 May 2012 10:11:00 -0700 Cc: openldap-its@OpenLDAP.org To: fumiyas@osstech.co.jp
On May 30, 2012, at 10:06 AM, fumiyas@osstech.co.jp wrote: > I wish the following command-line option for slappasswd to > load dynamically loadable password hash modules: > > $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' > ... > > $ slappasswd -o module-path=/path/to/lib/openldap \ > -o module-load=slapd-sha2.la -h '{SSHA512}' This seems more appropriate approach to me than reading slapd.conf files. Users who use a particular module frequently can use an alias to reduce the typing overhead. -- Kurt
Date: Thu, 31 May 2012 13:32:30 +0900 From: SATOH Fumiyasu <fumiyas@osstech.co.jp> To: Kurt@OpenLDAP.org Cc: openldap-its@OpenLDAP.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Wed, 30 May 2012 17:11:23 GMT, Kurt@OpenLDAP.org wrote: > > I wish the following command-line option for slappasswd to > > load dynamically loadable password hash modules: > > > > $ slappasswd -o module-load=slapd-sha2.la -h '{SSHA512}' > > ... > > > > $ slappasswd -o module-path=/path/to/lib/openldap \ > > -o module-load=slapd-sha2.la -h '{SSHA512}' > > This seems more appropriate approach to me than reading slapd.conf files. Users who use a particular module frequently can use an alias to reduce the typing overhead. I've created a patch. http://www.openldap.org/its/index.cgi?findid=7284 -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Date: Thu, 31 May 2012 08:43:30 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: fumiyas@osstech.co.jp CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms060305000509010900080201 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I'm trying to build this module (make distclean before) from recent RE24 = git 0cfc487a70f2de40d9827b67949569653ee0e28a but it fails: $ make cc -I../../../../include -Wall -g -c slapd-sha2.c cc -I../../../../include -Wall -g -c sha2.c cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sh= a2.so /usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld= : slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when= making a shared object; recompile with -fPIC slapd-sha2.o: could not read symbols: Bad value collect2: ld returned 1 exit status make: *** [slapd-sha2.so] Error 1 Do I have to tweak the Makefile? Ciao, Michael. --------------ms060305000509010900080201 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFOzCC BTcwggMfoAMCAQICAwl4kDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEx MTcxNTQzMzFaFw0xMjExMTYxNTQzMzFaMD8xGDAWBgNVBAMUD01pY2hhZWwgU3Ry9mRlcjEj MCEGCSqGSIb3DQEJARYUbWljaGFlbEBzdHJvZWRlci5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDo2SKth5GhtaDrCyfGtyUG+/hAAa/J52L0NFN4SSRvTtdGf9HfWwwd NCtgae0TVGWk2lKDbXA9d5vmyIiRhuwxd90H6FLErhRBeB9G67qtw87E8WUoXt2DwPQEUTWV hqHpPadlmgFw3+i3TGQQTe3O3W9MMMd4GJNhObem2VGRuCD37OXnzBksTcq0FPJgcWAhe3d/ 0ItOkNWBqgq8Mf3p7WFBhaQ0a27BC/mKtH8fI3kPcS305imPRja69Msq3EwUZBc9ToVp6FRQ NYKjfOBybDUzVkmRZl3H8xutQP2w8Zxb8m5f7Q1BfLLrIFScfYvIDgOERxTCd4lab8+/09XH AgMBAAGjggEAMIH9MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3Vy IG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNl cnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYB BAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov L29jc3AuY2FjZXJ0Lm9yZzAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkq hkiG9w0BAQUFAAOCAgEANPf/aLF41eQlvN5dEg3CFnlN//qQK7+EPIXLnHprNWLb4nBwgdPj /E+qa1umT7px4Py3VS0UTKqLmMdWftwid8MOMHWalZwrfx0Z8U3He+EdJhOSnn9vdd/ug7Xd dI/hRjLaBSq9ZhCczEUgL6vTxCYPlIoHF56y/oxSJw59vRBjvRFKXvpBZWseeRkcGACQduNH SNdWC1IqHAbQlgOS9VWQUYlm//BdaLkezRxqnQp5+KJMAcZzHpdNJ3G4SqCJ02Z3n4kk8IKZ AjgiWxisDFNsfXKDb9Ng5ntnnH2ouxrgPoNnW445tgkz50VKHstylx9s5O3G7uUTtg0J+z63 TA8xbN6kzRx7RgAUkEXhl6WEdW+3EVj5tYY38Uy8vleP+gYZfphKEmQJgIQqy9D2+gesbolT QdWYgbUYY2AHJOshskMW7pahYnFX2pZmn/ayaPc+JFJlCEqO0+DcYQjYuv6sntQgZGkok7yZ R4xMbyCp61pTrfGWOufZs/FiScJZg1IWY5qb4URH4VZZjLNMR2pFMRuE4LvgkkMRasbUv7Yv n3Lzv34lTfJKUqYW6nx//L2NS4rN63o0taPwRygnuBK4kp7EYEcwtLeanJhQoIu4b6If9rwy D7CFAp51wIewV9VtZ1Is0irNBcMVyhJogIcuIn+VWY1ff1RxySD/djMxggOUMIIDkAIBATCB gDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcx IjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1 cHBvcnRAY2FjZXJ0Lm9yZwIDCXiQMAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDUzMTA2NDMzMFowIwYJKoZIhvcNAQkEMRYE FC85H17zMN2jlPjKKQ1rj5hqS8WpMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwgZMG CyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMJeJAwDQYJKoZIhvcNAQEBBQAE ggEAXbWKhps9kQkfGtZFzf7H79BV32CGHmWfLnjgZgGMaEyhcig7b3PDVVIc63qnRL5Q7chG AJBM8L2KwPIkfk+mlso3F9cZA2oDgmSttIVYv/2IZmKkH0Ed9K4+4LhUms8lxdJGdpaj2/dS iRFjPumGR5lHopiVa5s2YEfkry75T93hwawU6Lx5ZQ0wouuleysRAygsFaMO5r4ugp4nIX2Y 1Uqe+uyLl5fKwxSnKmfqZ24KpGGuqgrezurZDnFdAJbDF/4Gwe/EpViG28tDXx0zEMm+BejJ 4jTd7VjpUgj85QmoHTttzervjjuz5XVEf3SRdTmImTQrDgJP55zGZdKa6QAAAAAAAA== --------------ms060305000509010900080201--
Date: Thu, 31 May 2012 16:51:44 +0900 From: SATOH Fumiyasu <fumiyas@osstech.co.jp> To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com> Cc: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Thu, 31 May 2012 08:43:30 +0200, Michael Str.der wrote: > I'm trying to build this module (make distclean before) from recent RE24 git > 0cfc487a70f2de40d9827b67949569653ee0e28a but it fails: > > $ make > cc -I../../../../include -Wall -g -c slapd-sha2.c > cc -I../../../../include -Wall -g -c sha2.c > cc -I../../../../include -shared -Wall -g slapd-sha2.o sha2.o -o slapd-sha2.so > /usr/lib64/gcc/x86_64-suse-linux/4.5/../../../../x86_64-suse-linux/bin/ld: > slapd-sha2.o: relocation R_X86_64_32 against `.text' can not be used when > making a shared object; recompile with -fPIC See the above message. :-) > slapd-sha2.o: could not read symbols: Bad value > collect2: ld returned 1 exit status > make: *** [slapd-sha2.so] Error 1 > > Do I have to tweak the Makefile? Add -fPIC to $CCFLAGS in Makefile if you are using GCC. -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Date: Mon, 11 Jun 2012 21:30:18 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: SATOH Fumiyasu <fumiyas@osstech.co.jp> CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms030301040508090109040302 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable SATOH Fumiyasu wrote: > Michael Str=F6der wrote: >> Do I have to tweak the Makefile? >=20 > Add -fPIC to $CCFLAGS in Makefile if you are using GCC. I hoped that this would not be necessary and the module work include some= thing detected via autoconf before. Anyway it does not work for me. If I set password-hash {SSHA512} such a userPassword value is added to the entry but the bind does not work. Also if I generate a salted SHA-2 userPassword with my web2ldap it does n= ot work. (I did interop-tests web2ldap<->OpenDJ before with salted SHA-2 has= hes.) SHA-2 hashes without salt seem to work. Ciao, Michael. --------------ms030301040508090109040302 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84w
Date: Tue, 12 Jun 2012 15:54:03 +0900 From: SATOH Fumiyasu <fumiyas@osstech.jp> To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com> Cc: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Mon, 11 Jun 2012 21:30:18 +0200, Michael Str.der wrote: > >> Do I have to tweak the Makefile? > > > > Add -fPIC to $CCFLAGS in Makefile if you are using GCC. > > I hoped that this would not be necessary and the module work include something > detected via autoconf before. Can you try the following Makefile? https://gist.github.com/2915450 > Anyway it does not work for me. If I set password-hash {SSHA512} such a > userPassword value is added to the entry but the bind does not work. > > Also if I generate a salted SHA-2 userPassword with my web2ldap it does not > work. (I did interop-tests web2ldap<->OpenDJ before with salted SHA-2 hashes.) > > SHA-2 hashes without salt seem to work. I've confirmed that slapd-sha2 works on Debian GNU/Linux unstable (x86-64), Solaris 10 (SPARC) and AIX 6.1 (POWER). Can you try the following command line with the latest master source or http://www.openldap.org/its/index.cgi?findid=7284 patch? $ slappasswd -o module-load=slapd-sha2 -h '{SSHA512}' -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
Date: Wed, 13 Jun 2012 09:30:03 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: fumiyas@osstech.jp CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
This is a cryptographically signed message in MIME format. --------------ms060502000406060901070508 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable fumiyas@osstech.jp wrote: > At Mon, 11 Jun 2012 21:30:18 +0200, > Michael Str=F6der wrote: >>>> Do I have to tweak the Makefile? >>> >>> Add -fPIC to $CCFLAGS in Makefile if you are using GCC. >> >> I hoped that this would not be necessary and the module work include s= omething >> detected via autoconf before. >=20 > Can you try the following Makefile? >=20 > https://gist.github.com/2915450 This works much better. And now the bind after Password Modify ext. op. also works! ??? Could you please submit a patch with your recent Makefile? Ciao, Michael. --------------ms060502000406060901070508 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILHzCC BT8wggQnoAMCAQICDwCmSwABAAIAivjZQ8SBvzANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQG EwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDElMCMGA1UECxMcVEMgVHJ1c3RD ZW50ZXIgQ2xhc3MgMSBMMSBDQTEoMCYGA1UEAxMfVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMSBM MSBDQSBJWDAeFw0xMjA2MDYxOTAyMTZaFw0xMzA2MDcxOTAyMTZaMCgxCzAJBgNVBAYTAkRF MRkwFwYDVQQDDBBNaWNoYWVsIFN0csO2ZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxXZGav40rnGNLxEggBW94MILWHlfC8a23Jew5U1gPlfRTXOjjzmoaZ1uCyGdgF6M VvuO9T1aTQNGH+OdeGe3P7Tfc/NsLJFJ2wtd8blvhmodUgse2eypiWjNOd4gZuhalBhgsQ0K b5D6/1foghII4E264iZlJ7AJ+UYcO+GxvFWT0YMTbLckgDkZk7c3qwTozdhYvXarvqx+8Ou/ kuxpQQhac/ebzxpu0N+RHSf2KIUS0g0tEGnPtGv6iL+9QNHc4JKo9Y9KKVw3tQy+Re+FQLxB 1fPE5F+qxuD3AUENpOwkMsqWLM94ohtx3CFqLpxfUPrnKFLAHOhHEbByYGvFPwIDAQABo4IC EDCCAgwwgaUGCCsGAQUFBwEBBIGYMIGVMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3LnRydXN0 Y2VudGVyLmRlL2NlcnRzZXJ2aWNlcy9jYWNlcnRzL3RjX2NsYXNzMV9MMV9DQV9JWC5jcnQw QAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLml4LnRjY2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1 c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAU6bgoHUbP/M34TpvF7ktg69g7P9EwDAYDVR0TAQH/ BAIwADBKBgNVHSAEQzBBMD8GCSqCFAAsAQEBATAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBS2 KAWfTfgJ/JQ63qLGwTXYLnI+LzBiBgNVHR8EWzBZMFegVaBThlFodHRwOi8vY3JsLml4LnRj Y2xhc3MxLnRjdW5pdmVyc2FsLWkudHJ1c3RjZW50ZXIuZGUvY3JsL3YyL3RjX0NsYXNzMV9M MV9DQV9JWC5jcmwwMwYDVR0lBCwwKgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDBwYK KwYBBAGCNxQCAjAfBgNVHREEGDAWgRRtaWNoYWVsQHN0cm9lZGVyLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAQ3bvVUpEq+cQrLpcogyt5BJNk/WvUvOHqhzyj28M9pg9hcDl1+MYl5qqj6tR GSTLPQZyf287pcmbMwbcTGZO/gbW9v7RYcut6RauWdwKMCUmKC3J4fVfDq9ZETA2WOV68ef4 B3Gzdhghsbp3Rhp5dDmrCVKAHlafm6ZwJrEQ9P76fxnQZzRLgeKpZep5ePH5YHUB3+YaOQvJ FG0bOXvfHhRiRG7/HW2G+yDgjHSxDz8AFzMWL/RFePqZ4pn6T/SM/qU6WEpW39MWyJNoH/Kx QDYK8gGYuesn1ciMCTnjrvZQj0fonGTO4SfWekJRkuGrJ7dYSZRjYbDcWBBkdFLWzzCCBdgw ggTAoAMCAQICDgboAAEAAkqWLSQM/sXJMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAkRF MRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRl ciBVbml2ZXJzYWwgQ0ExJjAkBgNVBAMTHVRDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJ MB4XDTA5MTEwMzE0MDgxOVoXDTI1MTIzMTIxNTk1OVowfDELMAkGA1UEBhMCREUxHDAaBgNV BAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJTAjBgNVBAsTHFRDIFRydXN0Q2VudGVyIENsYXNz IDEgTDEgQ0ExKDAmBgNVBAMTH1RDIFRydXN0Q2VudGVyIENsYXNzIDEgTDEgQ0EgSVgwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75pBuz2Lp6QuqthDVR+V8XSsncZpozVVt 5KLv5P7yemMRwleKyH3PjmYfZUVL64Biab1GjovFblqVGCrep/EfdRonq20yU+P7TVhiLP8Z 5cegDZotIYhZhM0d8cPIij6w5d4IJM/8QCy6QSOUu4ASiTVItoYE4AFPjLqpmPwcie0fiqHH hpgmHnJla/7PZdkMZEsaCfVDEWBmJuMzVprJPT40anjG5VBLyM2I5DlsUCaeQCy2O3w3sqf1 3dyzUcv03IICuNc63towXA31Qt0TaVNU6YAmQjMepdfMbspmCZ+G8D2+xophEPPR/1vkstst smUMqX0XrLonTUJczglPAgMBAAGjggJZMIICVTCBmgYIKwYBBQUHAQEEgY0wgYowUgYIKwYB BQUHMAKGRmh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2VydHNlcnZpY2VzL2NhY2VydHMv dGNfdW5pdmVyc2FsX3Jvb3RfSS5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLnRjdW5p dmVyc2FsLUkudHJ1c3RjZW50ZXIuZGUwHwYDVR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQ dXMwEgYDVR0TAQH/BAgwBgEB/wIBADBSBgNVHSAESzBJMAYGBFUdIAAwPwYJKoIUACwBAQEB MDIwMAYIKwYBBQUHAgEWJGh0dHA6Ly93d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lczAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOm4KB1Gz/zN+E6bxe5LYOvYOz/RMIH9BgNVHR8E gfUwgfIwge+ggeyggemGRmh0dHA6Ly9jcmwudGN1bml2ZXJzYWwtSS50cnVzdGNlbnRlci5k ZS9jcmwvdjIvdGNfdW5pdmVyc2FsX3Jvb3RfSS5jcmyGgZ5sZGFwOi8vd3d3LnRydXN0Y2Vu dGVyLmRlL0NOPVRDJTIwVHJ1c3RDZW50ZXIlMjBVbml2ZXJzYWwlMjBDQSUyMEksTz1UQyUy MFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAOcjE m+6+mO5Icm+N53G2DpCM07LBFSGoRpBoX0oE8TrJaIQh2KXmBHVdn9LU8kt3QzLclctgvwJV 0KwcsMUUl5tlCsMPpR3s2Ek5lbWpvvr0HqtW56blAQiINV9nBd1EJFASIkRjefGbV2nOq9Yz UU+N8HA7jq1ROhd/NZZraGhjthwKyfjfHV7PKxGlY+3M0MbTIG+q/GhIfm0euDpFqhKG88e9 ALXr/uoSn3MzeOcoOWjTpW3adtFO4VWVgKbgG7jNrFbvRVlHmFLbOm4msjE5aXWxLiTwpJ2X iF4zKca1vAdAOgw9us90jEtOeiH6GzjNxEMvb7TfeO6Zkuc6HDGCA84wggPKAgEBMIG
Date: Wed, 13 Jun 2012 09:32:46 +0200 From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> To: fumiyas@osstech.jp CC: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
Michael Str.der wrote: > fumiyas@osstech.jp wrote: >> At Mon, 11 Jun 2012 21:30:18 +0200, >> Michael Str.der wrote: >>>>> Do I have to tweak the Makefile? >>>> >>>> Add -fPIC to $CCFLAGS in Makefile if you are using GCC. >>> >>> I hoped that this would not be necessary and the module work include something >>> detected via autoconf before. >> >> Can you try the following Makefile? >> >> https://gist.github.com/2915450 > > This works much better. > > And now the bind after Password Modify ext. op. also works! > ??? And now client-hashed password generated by web2ldap also works. Strange it did not before. Ciao, Michael.
Date: Fri, 15 Jun 2012 12:10:11 +0900 From: SATOH Fumiyasu <fumiyas@osstech.jp> To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com> Cc: openldap-its@openldap.org Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
At Wed, 13 Jun 2012 09:30:03 +0200, Michael Str.der wrote: > >>> Add -fPIC to $CCFLAGS in Makefile if you are using GCC. > >> > >> I hoped that this would not be necessary and the module work include something > >> detected via autoconf before. > > > > Can you try the following Makefile? > > > > https://gist.github.com/2915450 > Could you please submit a patch with your recent Makefile? I've filed a patch to ITS: http://www.openldap.org/its/index.cgi?findid=7309 and another one: http://www.openldap.org/its/index.cgi?findid=7308 -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
