OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8023
Full headers

From: freebsd@jonathanprice.org
Subject: slappasswd with sha2 overlay can generate hashes but not salted hashes
Compose comment
Download message
State:
0 replies:
11 followups: 1 2 3 4 5 6 7 8 9 10 11

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 13 Jan 2015 18:52:34 +0000
From: freebsd@jonathanprice.org
To: openldap-its@OpenLDAP.org
Subject: slappasswd with sha2 overlay can generate hashes but not salted hashes
Full_Name: Jonathan Price
Version: 2.4.40
OS: FreeBSD 10.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.47.105.54)


I have compiled version 2.4.40 with the SHA2 module enabled.

I then run the slappasswd with the following arguments:
slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
module-load=pw-sha2

This works successfully, and in this example I used the word "test" and it
produced the following output:

{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==

However, if I replace {SHA512} with {SSHA512} it produces the following output:
Password verification failed.

I have tested SHA256 SHA384 and SHA512. All three of these work fine. All three
of SSHA256, SSHA384 and SSHA512 do not work however. It appears that there is an
issue with slappasswd and salted SHA2 hashes.

I have checked that 2.4.40 is new enough to have a version of the SHA2 overlay,
and also checked the source to make sure it was definitely a new enough version,
and can confirm that it is.

Unfortunately, beyond this basic level of checking, I'm not a C programmer so I
can't investigate the issue further myself.

Followup 1

Download message
Date: Tue, 13 Jan 2015 11:01:12 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: freebsd@jonathanprice.org, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
--On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org 
wrote:

> Full_Name: Jonathan Price
> Version: 2.4.40
> OS: FreeBSD 10.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (80.47.105.54)
>
>
> I have compiled version 2.4.40 with the SHA2 module enabled.
>
> I then run the slappasswd with the following arguments:
> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
> module-load=pw-sha2

You requested a non salted hash -> SHA512

Did you try requesting a salted hash? -> SSHA512

Works fine for me, and I've been using it in production for quite some time.

[zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h '{SSHA512}' 
-o module-path=/opt/zimbra/openldap/sbin/openldap -o module-load=pw-sha2 -s 
test
{SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 2

Download message
Date: Tue, 13 Jan 2015 19:11:55 +0000
From: Jonathan Price <freebsd@jonathanprice.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
Hi,

 From the original email:
However, if I replace {SHA512} with {SSHA512} it produces the following 
output:
Password verification failed.

It's interesting to see that it does work under certain conditions then. 
It appears that your OpenLDAP installation is part of a Zimbra 
installation. Does Zimbra make any modifications to OpenLDAP, or is it 
just built on top of it?

Either way, I think I'm going to try it on Debian, just to rule out it 
being a FreeBSD issue, which it quite well could be at this point.

On 2015-01-13 19:01, Quanah Gibson-Mount wrote:
> --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org
> wrote:
>
>> Full_Name: Jonathan Price
>> Version: 2.4.40
>> OS: FreeBSD 10.1
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (80.47.105.54)
>>
>>
>> I have compiled version 2.4.40 with the SHA2 module enabled.
>>
>> I then run the slappasswd with the following arguments:
>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
>> module-load=pw-sha2
>
> You requested a non salted hash -> SHA512
>
> Did you try requesting a salted hash? -> SSHA512
>
> Works fine for me, and I've been using it in production for quite some
> time.
>
> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h
> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
> module-load=pw-sha2 -s test
> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration



Followup 3

Download message
Date: Tue, 13 Jan 2015 11:13:05 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Jonathan Price <freebsd@jonathanprice.org>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
--On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price 
<freebsd@jonathanprice.org> wrote:

> Hi,
>
>  From the original email:
> However, if I replace {SHA512} with {SSHA512} it produces the following
> output:
> Password verification failed.
>
> It's interesting to see that it does work under certain conditions then.
> It appears that your OpenLDAP installation is part of a Zimbra
> installation. Does Zimbra make any modifications to OpenLDAP, or is it
> just built on top of it?
>
> Either way, I think I'm going to try it on Debian, just to rule out it
> being a FreeBSD issue, which it quite well could be at this point.

We make a few modifications to OpenLDAP, but nothing affecting the pw-sha2 
module, which we use as-is.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 4

Download message
Date: Tue, 13 Jan 2015 11:14:32 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Jonathan Price <freebsd@jonathanprice.org>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
--On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price 
<freebsd@jonathanprice.org> wrote:

> Hi,
>
>  From the original email:
> However, if I replace {SHA512} with {SSHA512} it produces the following
> output:
> Password verification failed.

You also were not clear *where* you did this replacement.  It is certainly 
not valid to do this replacement on the generated hash, as the generated 
has was non-salted, and just adding another S in there will not magically 
make it salted.  It is valid to do this replacement in the slappasswd line 
when generating a hash, as per my example, so that a salted hash is 
generated.

--Quanah


> It's interesting to see that it does work under certain conditions then.
> It appears that your OpenLDAP installation is part of a Zimbra
> installation. Does Zimbra make any modifications to OpenLDAP, or is it
> just built on top of it?
>
> Either way, I think I'm going to try it on Debian, just to rule out it
> being a FreeBSD issue, which it quite well could be at this point.
>
> On 2015-01-13 19:01, Quanah Gibson-Mount wrote:
>> --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org
>> wrote:
>>
>>> Full_Name: Jonathan Price
>>> Version: 2.4.40
>>> OS: FreeBSD 10.1
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (80.47.105.54)
>>>
>>>
>>> I have compiled version 2.4.40 with the SHA2 module enabled.
>>>
>>> I then run the slappasswd with the following arguments:
>>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap
-o
>>> module-load=pw-sha2
>>
>> You requested a non salted hash -> SHA512
>>
>> Did you try requesting a salted hash? -> SSHA512
>>
>> Works fine for me, and I've been using it in production for quite some
>> time.
>>
>> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h
>> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
>> module-load=pw-sha2 -s test
>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>>
>>
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Platform Architect
>> Zimbra, Inc.
>> --------------------
>> Zimbra ::  the leader in open source messaging and collaboration



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 5

Download message
Date: Tue, 13 Jan 2015 19:24:41 +0000
From: Jonathan Price <freebsd@jonathanprice.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
I do apologise for the confusion, I'll try to clarify below:

Here is the command you ran successfully:
/opt/zimbra/openldap/sbin/slappasswd -h
'{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
module-load=pw-sha2 -s test
{SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9

Here is an example of me running just a plain SHA512
slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
module-load=pw-sha2
{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==

And here is an example of me running a salted SHA512 (SSHA512)
slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o 
module-load=pw-sha2 -s test
Password verification failed.

I hope this helps to clarify.

On 2015-01-13 19:14, Quanah Gibson-Mount wrote:
> --On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price
> <freebsd@jonathanprice.org> wrote:
>
>> Hi,
>>
>>  From the original email:
>> However, if I replace {SHA512} with {SSHA512} it produces the following
>> output:
>> Password verification failed.
>
> You also were not clear *where* you did this replacement.  It is
> certainly not valid to do this replacement on the generated hash, as the
> generated has was non-salted, and just adding another S in there will
> not magically make it salted.  It is valid to do this replacement in the
> slappasswd line when generating a hash, as per my example, so that a
> salted hash is generated.
>
> --Quanah
>
>
>> It's interesting to see that it does work under certain conditions
then.
>> It appears that your OpenLDAP installation is part of a Zimbra
>> installation. Does Zimbra make any modifications to OpenLDAP, or is it
>> just built on top of it?
>>
>> Either way, I think I'm going to try it on Debian, just to rule out it
>> being a FreeBSD issue, which it quite well could be at this point.
>>
>> On 2015-01-13 19:01, Quanah Gibson-Mount wrote:
>>> --On Tuesday, January 13, 2015 6:52 PM +0000
freebsd@jonathanprice.org
>>> wrote:
>>>
>>>> Full_Name: Jonathan Price
>>>> Version: 2.4.40
>>>> OS: FreeBSD 10.1
>>>> URL: ftp://ftp.openldap.org/incoming/
>>>> Submission from: (NULL) (80.47.105.54)
>>>>
>>>>
>>>> I have compiled version 2.4.40 with the SHA2 module enabled.
>>>>
>>>> I then run the slappasswd with the following arguments:
>>>> slappasswd -h '{SHA512}' -o
module-path=/usr/local/libexec/openldap -o
>>>> module-load=pw-sha2
>>>
>>> You requested a non salted hash -> SHA512
>>>
>>> Did you try requesting a salted hash? -> SSHA512
>>>
>>> Works fine for me, and I've been using it in production for quite
some
>>> time.
>>>
>>> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h
>>> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
>>> module-load=pw-sha2 -s test
>>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
>>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>>>
>>>
>>>
>>> --Quanah
>>>
>>> --
>>>
>>> Quanah Gibson-Mount
>>> Platform Architect
>>> Zimbra, Inc.
>>> --------------------
>>> Zimbra ::  the leader in open source messaging and collaboration
>
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration



Followup 6

Download message
Date: Tue, 13 Jan 2015 12:00:16 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Jonathan Price <freebsd@jonathanprice.org>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
 not salted hashes
--On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price 
<freebsd@jonathanprice.org> wrote:

> I do apologise for the confusion, I'll try to clarify below:
>
> Here is the command you ran successfully:
> /opt/zimbra/openldap/sbin/slappasswd -h
> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
> module-load=pw-sha2 -s test
> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>
> Here is an example of me running just a plain SHA512
> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
> module-load=pw-sha2
> {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUN
> zLDBMxfqa2Ob1f1ACio/w==
>
> And here is an example of me running a salted SHA512 (SSHA512)
> slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o
> module-load=pw-sha2 -s test
> Password verification failed.
>
> I hope this helps to clarify.

Yes, thank you.  So I'm using 2.4.39.  There were some minor changes to 
slapd-sha2 in 2.4.40.  I will see if I can reproduce the issue with current 
RE24.


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 7

Download message
Date: Wed, 14 Jan 2015 11:00:32 +0000
From: freebsd@jonathanprice.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes
 but  not salted hashes
To: "Quanah Gibson-Mount" <quanah@zimbra.com>, openldap-its@openldap.org
Hi,=0A=0AI tried 2.4.39 under FreeBSD and still had the same issue.=0A=0A=
I have also tried the packages for both CentOS 7 and Debian Wheezy, but u=
nfortunately neither of them include the SHA2 overlay by default.=0A=0AFi=
nally, I tried installing zimbra-core and zimbra-ldap under CentOS. When =
I used this installation, it worked successfully.=0A=0AI ran slapd -V on =
the zimbra installation, and it's 2.4.39. However, based on it still not =
working on 2.4.39 on FreeBSD it appears to have narrowed it down to two r=
easons:=0A- An issue with the packaging under FreeBSD=0A- The functionali=
ty is specific to Zimbra=0A=0AThe next step in the process to narrow this=
 down is to do a manual compilation on CentOS, including the SHA2 overlay=
. If this works, then it would confirm it to be a FreeBSD issue, and if i=
t doesn't work that would strongly suggest that Zimbra has modified somet=
hing.=0A=0AThanks for the assistance so far,=0A=0A-Jonathan=0A=0AJanuary =
13 2015 8:00 PM, "Quanah Gibson-Mount" <quanah@zimbra.com> wrote: =0A>
--=
On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price=0A> <freebsd@jo=
nathanprice.org> wrote:=0A> =0A>> I do apologise for the confusion,
I'll =
try to clarify below:=0A>> =0A>> Here is the command you ran
successfully=
:=0A>> /opt/zimbra/openldap/sbin/slappasswd -h=0A>> '{SSHA512}' -o
module=
-path=3D/opt/zimbra/openldap/sbin/openldap -o=0A>> module-load=3Dpw-sha2 =
-s test=0A>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5=
We5HNkXxFfy5=0A>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9=0A>> =0A>>
Here is an=
 example of me running just a plain SHA512=0A>> slappasswd -h '{SHA512}' =
-o module-path=3D/usr/local/libexec/openldap -o=0A>> module-load=3Dpw-sha=
2=0A>> {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvI=
h/1nsUN=0A>> zLDBMxfqa2Ob1f1ACio/w=3D=3D=0A>> =0A>> And here
is an exampl=
e of me running a salted SHA512 (SSHA512)=0A>> slappasswd -h '{SSHA512}' =
-o module-path=3D/usr/local/libexec/openldap -o=0A>> module-load=3Dpw-sha=
2 -s test=0A>> Password verification failed.=0A>> =0A>> I hope
this helps=
 to clarify.=0A> =0A> Yes, thank you. So I'm using 2.4.39. There were som=
e minor changes to=0A> slapd-sha2 in 2.4.40. I will see if I can reproduc=
e the issue with current=0A> RE24.=0A> =0A> --Quanah=0A> =0A>
--=0A> =0A>=
 Quanah Gibson-Mount=0A> Platform Architect=0A> Zimbra, Inc. =0A>
_______=
________________________=0A> =0A> Zimbra :: the leader in open source mes=
saging and collaboration



Followup 8

Download message
Date: Wed, 14 Jan 2015 08:31:13 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: freebsd@jonathanprice.org, openldap-its@openldap.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but
  not salted hashes
--On Wednesday, January 14, 2015 11:00 AM +0000 freebsd@jonathanprice.org 
wrote:

> Hi,
>
> I tried 2.4.39 under FreeBSD and still had the same issue.
>
> I have also tried the packages for both CentOS 7 and Debian Wheezy, but
> unfortunately neither of them include the SHA2 overlay by default.
>
> Finally, I tried installing zimbra-core and zimbra-ldap under CentOS.
> When I used this installation, it worked successfully.
>
> I ran slapd -V on the zimbra installation, and it's 2.4.39. However,
> based on it still not working on 2.4.39 on FreeBSD it appears to have
> narrowed it down to two reasons: - An issue with the packaging under
> FreeBSD
> - The functionality is specific to Zimbra
>
> The next step in the process to narrow this down is to do a manual
> compilation on CentOS, including the SHA2 overlay. If this works, then it
> would confirm it to be a FreeBSD issue, and if it doesn't work that would
> strongly suggest that Zimbra has modified something.

You could simply grab the LTB project builds.  I'm pretty sure they build 
out the contrib modules.

In any case, I already noted that Zimbra doesn't patch anything in OpenLDAP 
that would affect this area.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 9

Download message
Date: Thu, 22 Jan 2015 14:25:04 +0000
From: freebsd@jonathanprice.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes
 but   not salted hashes
To: "Quanah Gibson-Mount" <quanah@zimbra.com>, openldap-its@openldap.org
Sorry for the slow response, but I have made some progress with the issue=
.=0A=0A(as an aside, I installed a build from LTB, and unfortunately it d=
oes not=0Acontain this overlay)=0A=0AI have detailed my findings (includi=
ng some trawling through the source) =0Aover on the FreeBSD bug tracker, =
as I suspect it could well be a platform=0Arelated issue. Nonetheless, it=
 might be worth reading:=0Ahttps://bugs.freebsd.org/bugzilla/show_bug.cgi=
?id=3D197004=0A=0AJanuary 14 2015 4:31 PM, "Quanah Gibson-Mount" <quanah@=
zimbra.com> wrote: =0A> --On Wednesday, January 14, 2015 11:00 AM +0000 f=
reebsd@jonathanprice.org=0A> wrote:=0A> =0A>> Hi,=0A>>
=0A>> I tried 2.4.=
39 under FreeBSD and still had the same issue.=0A>> =0A>> I have
also tri=
ed the packages for both CentOS 7 and Debian Wheezy, but=0A>> unfortunate=
ly neither of them include the SHA2 overlay by default.=0A>> =0A>>
Finall=
y, I tried installing zimbra-core and zimbra-ldap under CentOS.=0A>> When=
 I used this installation, it worked successfully.=0A>> =0A>> I ran
slapd=
 -V on the zimbra installation, and it's 2.4.39. However,=0A>> based on i=
t still not working on 2.4.39 on FreeBSD it appears to have=0A>> narrowed=
 it down to two reasons: - An issue with the packaging under=0A>> FreeBSD=
=0A>> - The functionality is specific to Zimbra=0A>> =0A>> The
next step =
in the process to narrow this down is to do a manual=0A>> compilation on =
CentOS, including the SHA2 overlay. If this works, then it=0A>> would con=
firm it to be a FreeBSD issue, and if it doesn't work that would=0A>> str=
ongly suggest that Zimbra has modified something.=0A> =0A> You could simp=
ly grab the LTB project builds. I'm pretty sure they build=0A> out the co=
ntrib modules.=0A> =0A> In any case, I already noted that Zimbra doesn't =
patch anything in OpenLDAP=0A> that would affect this area.=0A> =0A>
--Qu=
anah=0A> =0A> --=0A> =0A> Quanah Gibson-Mount=0A> Platform
Architect=0A> =
Zimbra, Inc. =0A> _______________________________=0A> =0A> Zimbra ::
the =
leader in open source messaging and collaboration



Followup 10

Download message
Date: Thu, 22 Jan 2015 17:09:06 +0000
From: Howard Chu <hyc@symas.com>
To: quanah@zimbra.com, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate
 hashes but not salted hashes
quanah@zimbra.com wrote:
> --On Tuesday, January 13, 2015 7:24 PM +0000 Jonathan Price
> <freebsd@jonathanprice.org> wrote:
>
>> I do apologise for the confusion, I'll try to clarify below:
>>
>> Here is the command you ran successfully:
>> /opt/zimbra/openldap/sbin/slappasswd -h
>> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
>> module-load=pw-sha2 -s test
>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>>
>> Here is an example of me running just a plain SHA512
>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
>> module-load=pw-sha2
>> {SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUN
>> zLDBMxfqa2Ob1f1ACio/w==
>>
>> And here is an example of me running a salted SHA512 (SSHA512)
>> slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o
>> module-load=pw-sha2 -s test
>> Password verification failed.
>>
>> I hope this helps to clarify.
>
> Yes, thank you.  So I'm using 2.4.39.  There were some minor changes to
> slapd-sha2 in 2.4.40.  I will see if I can reproduce the issue with current
> RE24.

I have a FreeBSD 9 VM here with 2.4.40 installed from ports. Both SHA512 
and SSHA512 work fine on it. Doesn't look to me like there's any 
OpenLDAP bug here, this is one for the FreeBSD folks to sort out.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 11

Download message
Date: Wed, 28 Jan 2015 11:38:23 +0000
From: freebsd@jonathanprice.org
Subject: Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes 
 but   not salted hashes
To: "Quanah Gibson-Mount" <quanah@zimbra.com>, openldap-its@openldap.org
I have now made progress in narrowing down the cause further.=0A=0AI have=
 noticed that it is a regression between FreeBSD 9.x -> FreeBSD 10.x. For=
 this reason, I will move any updates on this to the FreeBSD bug tracker,=
 rather than the OpenLDAP one, as the bug is platform specific.=0A=0AFutu=
re news will be posted here: https://bugs.freebsd.org/bugzilla/show_bug.c=
gi?id=3D197004=0A=0AThank you for your time,=0A=0A-Jonathan=0A=0AJanuary =
22 2015 2:25 PM, freebsd@jonathanprice.org wrote: =0A> Sorry for the slow=
 response, but I have made some progress with the issue.=0A> =0A> (as an =
aside, I installed a build from LTB, and unfortunately it does not=0A> co=
ntain this overlay)=0A> =0A> I have detailed my findings (including some =
trawling through the source)=0A> over on the FreeBSD bug tracker, as I su=
spect it could well be a platform=0A> related issue. Nonetheless, it migh=
t be worth reading:=0A> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=
=3D197004=0A> =0A> January 14 2015 4:31 PM, "Quanah Gibson-Mount"
<quanah=
@zimbra.com> wrote:=0A> =0A>> --On Wednesday, January 14, 2015 11:00
AM +=
0000 freebsd@jonathanprice.org=0A>> wrote:=0A>> =0A>>>
Hi,=0A>>> =0A>>> I=
 tried 2.4.39 under FreeBSD and still had the same issue.=0A>>>
=0A>>> I =
have also tried the packages for both CentOS 7 and Debian Wheezy, but=0A>=
>> unfortunately neither of them include the SHA2 overlay by
default.=0A>=
>> =0A>>> Finally, I tried installing zimbra-core and zimbra-ldap
under C=
entOS.=0A>>> When I used this installation, it worked
successfully.=0A>>>=
 =0A>>> I ran slapd -V on the zimbra installation, and it's 2.4.39.
Howev=
er,=0A>>> based on it still not working on 2.4.39 on FreeBSD it appears
t=
o have=0A>>> narrowed it down to two reasons: - An issue with the
packagi=
ng under=0A>>> FreeBSD=0A>>> - The functionality is specific
to Zimbra=0A=
>>> =0A>>> The next step in the process to narrow this down is
to do a ma=
nual=0A>>> compilation on CentOS, including the SHA2 overlay. If this
wor=
ks, then it=0A>>> would confirm it to be a FreeBSD issue, and if it
doesn=
't work that would=0A>>> strongly suggest that Zimbra has modified
someth=
ing.=0A>> =0A>> You could simply grab the LTB project builds. I'm
pretty =
sure they build=0A>> out the contrib modules.=0A>> =0A>> In
any case, I a=
lready noted that Zimbra doesn't patch anything in OpenLDAP=0A>> that wou=
ld affect this area.=0A>> =0A>> --Quanah=0A>> =0A>>
--=0A>> =0A>> Quanah =
Gibson-Mount=0A>> Platform Architect=0A>> Zimbra, Inc. =0A>>
____________=
___________________=0A>> =0A>> Zimbra :: the leader in open source
messag=
ing and collaboration


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org